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1.  Introduction 


The  motivation  for  this  woiic  began  with  a  concern  for  the  correctness  of  an  implementation  of  logic.  The 
system  PC-NQTHM*  is  an  interactive  “proof-checker”  enhancement  of  the  Boycr-Moore  Theorem  Prover  [3], 
and  is  documented  in  [10].  In  [11]  we  report  on  an  extension  of  this  system  that  admits  a  notion  of  free 
variables.  Roughly,  free  variables  are  ones  that  the  user  is  allowed  to  instantiate  in  the  course  of  a  proof.  An 
earlier  version  of  this  extension  for  free  variables  had  a  soundness  bug  in  one  of  the  commands,  called 
GENERALI2X.  fl^is  command  allows  one  to  replace  terms  by  new  variables  and  proceed  by  proving  the 
stronger,  generalized  version  of  the  goal.  Thus,  it  corresponds  to  the  inference  rule  of  universal  instantiation). 
In  fact  the  bug  was  easily  corrected  and  the  correcmess  of  the  resulting  GENERALIZE  command  was  checked 
on  papa.  However,  the  rude  shock  of  having  made  a  soundness  mistake  in  the  previous  version  led  to  the 
following  goal:  formalize  the  new  version  of  the  GENERALIZE  comnumd  in  the  Boyer-Moore  logic,  and 
mechanically  check  a  proof  of  correctness  of  this  formaliztuion. 


In  this  paper  we  present  a  mechanically-checked  proof  of  correcmess  for  a  generalization  algorithm. 
Although  the  theorem  itself  is  probably  new  (at  least,  we  are  unaware  of  any  existing  statement  of  it),  the 
interest  here  lies  not  particularly  in  the  theorem  per  se  but,  rather,  lies  in  the  demonstration  of  the  use  of 
mechanical  verification  for  assisting  in  the  reliability  of  detailed  proofs  and  software.  In  particular,  we  believe 
that  this  exercise  strongly  suggests  the  feasibility  of  creating  a  verified  version  of  PC-NQTHM,  i.e.  one  which  is 
proved  correct  in  the  Boyer-Moore  theorem  prover  or  in  some  successor  of  that  system. 


Thus,  this  paper  could  be  viewed  as  a  contribution  to  the  study  of  metatheoretically  extensible  systems. 
Some  reports  of  research  in  this  spirit  can  be  found  in  works  of  Davis  and  Schwartz  [6],  Weyhrauch  [18],  Boyer 
and  Moore  [2],  Shankar  [16],  Knoblock  and  Constable  [14, 13],  Howe  [9],  and  Quaife  [15].  However,  we  also 
view  this  paper  as  an  exposition  which  provides  a  rather  detailed  look  at  the  practice  of  using  the  Boyer-Moore 
theorem  prover  and  PC-NQTHM  to  proof-check  mathematical  arguments.  ^  J 


( 


Although  the  development  here  is  intended  to  capture  the  behavior  of  PC-NQTHM,  it  is  actually  an 
abstraction  of  that  behaviOT.  Hence,  no  familiarity  with  PC-NQTHM  is  required  for  an  understanding  of  this 
document  Moreover,  little  particular  understanding  of  the  Boyer-Moore  logic  (cf.  [1,3])  should  be  necessary 
for  a  comfortable  reading  of  this  paper  (although  for  those  interested,  a  complete  treatment  of  the  Boyer-Moore 


'“PC”  for  "proof -checker”,  “NQTHM”  for  the  name  commonly  given  to  the  current  Boyer-Moore  theorem  prover 
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theorem  prover  and  the  enhancements  used  here  can  be  found  in  [1, 3, 10, 12, 4, 1 1]).  A  summary  of  the  basics 
needed  in  order  to  follow  the  treatment  in  this  paper  may  be  found  in  the  first  subsection  1.1  immediately 
below.  We  follow  this  with  a  very  general  discussion  of  the  methodology  employed  in  the  use  of  the  Boyer- 
Moore  theorem  prover  and  PC-NQTHM  in  Subsection  1.2.  A  brief  view  of  the  main  theorem  and  the  high-level 
structure  of  its  proof  may  be  found  in  Subsection  1.3.  We  conclude  this  introduction  with  a  summary  of  the 
remainder  of  the  paper. 

1.1  Introduction  to  the  Boyer-Moore  logic  and  theorem  prover 

For  a  description  of  the  Boyer-Moore  logic  and  theorem  prover  we  refer  the  reader  to  the  careful 
description  in  [3].  For  now  let  us  simply  point  out  a  few  aspects  of  the  logic  and  theorem  prover. 

One  may  simply  view  the  Boyer-Moore  logic  as  a  version  of  first-order  logic  that  has  an  induction  rule  of 
inference.  Further  details  will  be  provided  as  needed  during  the  presentation  below.  For  now,  let  us  simply 
note  that  a  session  with  the  Boyer-Moore  theorem  prover  consists  of  a  sequence  of  so-called  events,  which  are 
generally  either  definitions  or  lemmas/theoiems.  A  sequence  of  events  stored  at  a  given  moment  is  called  a 
history.  Thus,  this  paper  can  be  viewed  as  the  presentation  of  a  particular  history  that  culminates  in  a  lemma 
event  stating  the  correctness  of  the  algorithm  in  question. 

There  are  a  few  built-in  function  symbols  which,  together  with  corresponding  axioms,  are  part  of  the 
logic’s  basic  (built-in)  theory,  i.e.  are  part  of  every  history.  Here  is  a  summary  of  some  of  those  that  we  will  use 
in  this  paper.  In  each  case  we  write  terms  in  two  ways.  First,  we  write  them  in  official  s-expression  (Lisp) 
notation,  i.e.  in  the  form  (G  ...  t„)  where  each  is  a  term  in  that  notation  and  G  is  a  function  symbol 
(of  the  current  history).  Second,  we  write  them  in  informal,  more  traditional  notation.  We  will  follow  this 
convention  throughout  this  paper.  Moreover,  we  will  write  s-expressions  using  upper-case  characters  and 
traditional  notation  using  lower-case  characters.  Here,  then,  are  the  primitives  promised  above. 

•  (CONS  X  Y)  or<x,  y>;  the  ordered  pair  formed  from  x  and  y.  CONS  is  also  used  to  represent 
lists  (sequences),  in  which  case  the  atom  NIL  represents  the  empty  list  and  (CONS  X  Y) 
represents  the  sequence  whose  first  element  is  X  and  whose  remaining  elements  (in  order)  form 
the  sequence  Y. 

•  (CAR  z)  orl’‘(z):  the  first  component  of  the  ordered  pai'' * 

•  (CDR  Z)  or2'*‘(z):  the  second  component  of  the  ordered  p'’ if 

•  (LZSTP  Z)  orll8tp(z):  z  is  an  ordered  pair 

•  T:  the  boolean  true 

•  F:  the  boolean  false 

•  (LESSP  X  Y)  orx  <  y;  x  is  less  than  y 
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•  (MEMBER  A  X)  ora  €  z:  a  is  a  member  of  z 

The  basic  logic  does  not  contain  Hrst-order  quantification,  so  one  often  expresses  quantified  concepts 
using  primitive  recursion.  Consider  the  following  (irrelevant  but  instructive)  definition  of  a  predicate  that  holds 
of  a  list  if  and  only  if  all  of  its  elements  are  ordoed  pairs. 

Definiiian  of  aiX-LZSTP 

all-llatp(z)  ■ 

(V  7  €  X)  listpty) 

(DBFII  ALL-LISTP  (X) 

(IT  (LZSSP  X) 

(AHD  (LZSTF  (CAR  X)) 

(ALL-LZSTP  (COR  X) ) ) 

D) 

The  first  version  of  this  definition  is  inftxmal.  In  fact  z  is  (presumably)  a  list,  not  a  set  (there  is  no  built-in  set 
type),  so  the  predicate  €  doesn’t  really  make  precise  sense  here,  though  it’s  highly  suggestive.  We’ll  continue 
in  this  style  throughout  this  paper. 

The  theorem  prover  contains  a  number  of  “processes”,  but  most  of  the  work  is  done  by  its  simplifier, 
whose  main  component  is  a  rewriter.  The  user  labels  certain  lemmas  as  rewrite  rules,  and  the  system  then 
rewrites  using  them.  For  example,  consider  the  following  rule,  which  says  how  the  function  all-listp 
above  igiplies  to  a  CONS. 

Lemma  ALL-USTP-COHS 

llstp(a)  -» 

(  all-llstp((a)  u  x)  ■  all-llstp(x)  ) 

(IMFLIBS  (LISTP  A) 

(EQUAL  (ALL-LZSTP  (CONS  A  X)) 

(ALL-LISTP  X))) 

Again,  the  first  version  is  merely  suggestive,  since  the  u  operator  applies  to  sets,  not  lists.  The  name  of  this 
lemma  is  indicated  to  be  ALL-LISTP-CONS.  If  we  label  it  to  be  a  rewrite  rule  then  the  theorem  prover’ s 
rewriter  will  simplify  any  term  of  the  form  (ALL-LISTP  (CONS  A  X) )  to  the  term  (ALL-LISTP  x) 
provided  it  can  establish  (LISTP  A) .  Again,  while  this  extremely  brief  introduction  to  the  logic  and  theorem 
prover  should  suffice  as  a  prerequisite  for  the  rest  of  the  paper,  the  reader  is  welcome  to  consult  [31  ior  a  much 
more  thorough  treatment 
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12  Remarks  on  methodology 

General  hints  on  how  to  use  the  Boyer-Motxe  theorem  prover  may  be  found  in  the  user’s  manual  [3], 
particularly  in  Cluster  13.  We  also  felt  free  to  use  PC-NQTHM,  an  interactive  enhancement  of  the  Boyo*- 
Mooie  theorem  prover  described  in  [10, 1 1],  to  help  explore  some  of  the  more  difficult  theorems.  (Examples  of 
such  use  may  be  found  in  [10].)  However,  the  final  proof  script  ultimately  does  not  depend  on  PC-NQTHM, 
but  only  on  the  Boyer-Moore  theorem  prover  with  the  enhancements  for  theories,  LET,  quantifiers,  and 
functional  variables  mentioned  above. 

Our  first  completed  proof  was  rather  ugly^  in  a  number  of  places.  Apparently  this  phenomenon  is  rather 
typical  for  users  of  the  Boyer-Moore  theorem  prover,  since  one  is  still  discovering  the  proper  abstractions  and 
{voof  strucuire  while  carrying  out  the  proofs.  In  fact,  the  helpful  oraput  of  the  system  can  also  distract  one 
towards  proving  lemmas  that  are  geared  specifically  to  allow  a  particular  proof  attempt  to  succeed  rather  than 
towards  proving  elegant,  general  lemmas.  Our  first  proof  did,  however,  generate  a  number  of  basic  dennitions 
and  rules  for  the  files  "sets-events",  "alists.events”,  and  "terms.events"  which  can  be  found  (in  their  current 
forms)  in  the  Appendix.  So  that  we  could  obtain  a  proof  script  amenable  to  this  exposition,  we  did  the  proof 
again,  starting  with  those  three  files.  Having  those  files  already  loaded  allowed  many  of  the  proofs  to  go 
through  automatically,  which  freed  our  attention  for  more  substantive  matters.  In  the  course  of  the  new  proof  a 
few  additional  basic  rules  were  discovered  and  the  three  aforementioned  libraries  were  suitably  enhanced  during 
this  “polishing”  process.  Not  surprisingly,  when  we  moved  some  of  those  new  basic  rules  up  to  those  three 
files  from  our  final  file,  some  proofs  in  the  final  file  no  longer  succeeded;  when  a  rewrite  rule  is  moved  in  front 
of  a  PROVE-LEMMA  event,  it  can  affect  the  course  of  the  event’s  automatic  proof.  But  we  were  able  to  find  a 
few  more  useful  rules  for  the  three  preliminary  files,  wiihout  undue  difficulty.  The  resulting  proof  as  it  exists  in 
the  final  file,  "generalize.events",  is  reasonably  concise.  An  advantage  of  this  conciseness  is  that  the  result  is 
quite  amenable  for  description  in  the  fuial  two  sections  of  this  paper.  Perhaps  a  disadvantage  is  that  some  of  the 
struggles  in  completing  the  proof  have  been  hidden,  though  we  do  make  a  few  remarks  about  such  difficulties 
where  they  came  up. 

We  should  be  honest  that  although  the  lemmas  stated  in  the  final  file  "generalize.events"  form  the  heart  of 
the  proof  (in  our  view),  still  many  of  the  supporting  lemmas  in  the  other  three  files  are  crucial  too.  A  number  of 
those  lemmas  were  not  only  crucial  to  the  main  proof,  but  in  fact  were  only  discovered  while  trying  to  do  that 


^even  compared  to  the  final  venionl 
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proof.^  The  point  here  is  that  although  the  lemmas  have  been  arranged  into  files  for  expository  purposes,  one 
should  not  be  left  with  the  impression  that  the  fust  three  files  were  created  in  isolation  and  then  a  fairly  natural 
proof  evolved  without  difficulty,  as  represented  in  "geneialize.events".  An  unfortunate  amount  of  sweat  went 
into  that  proof!  On  the  other  hand,  the  original  proof  took  well  under  a  month,  including  the  libraries  and  the 
time  required  to  think  about  the  theorem.  So  although  our  experience  is  that  this  kind  of  program  verification 
remains  a  less-than-automatic  activity,  still  we  are  not  too  disappointed  by  the  amount  of  effort  required.  The 
exposidon  in  this  paper,  however,  is  a  different  matter,  it  seemed  quite  dme-consuming.  We  don’t  recommend 
such  detailed  expositions  in  general,  although  we  hope  that  this  one  has  pedagogical  value. 

We  did  not  keep  the  set  of  lemmas  in  those  first  three  files  at  a  minimum.  Rather,  we  were  happy  to  build 
up  less-than-minimal  but  useful  libraries  of  rules.  ThereftMe  the  thickness  of  the  first  three  files  in  the  A|^ndix 
is  not  entirely  indicative  of  what  is  truly  necessary  for  the  successful  processing  of  the  events  in  the  final  file. 
On  the  other  hand,  we  view  the  events  in  the  fust  three  files  as  being  sufficiently  fundamental  that  many  or  all 
of  them  should  be  usable  in  possible  future  work  that  involves  notions  such  as  lists,  terms  and  substitutions. 

Another  obligation  arising  from  honesty  requires  us  to  point  out  that  hints  to  the  Boyer-Moore  prover 
have  been  omitted  fiom  the  exposition  below  (although  they  do  appear  in  the  appendix).  We  simply  felt  that  the 
hints  would  distract  the  reader  from  more  substantive  considerations,  and  would  even  be  misleading  in  the 
absence  of  explanation. 

Finally,  let  us  remark  that  the  time  required  to  automatically  replay  the  events  constructed  for  this 
exercise  was  roughly  an  hour  and  a  quarter  on  a  Sun  3/60  with  20  megabytes  main  memory.  Slightly  under  a 
half  hour  was  spent  on  the  events  in  the  three  preliminary  files;  the  rest  was  spent  on  the  events  in 
"generalize.events" . 

IJ  Outline  of  theorem  and  proof 

The  main  theorem  is  stated  precisely  in  Section  4.  However,  here  is  a  very  informal  version. 

We  want  to  model  a  proof  development  methodology  similar  to  the  one  in  PC-NQTHM  [10, 11],  as 
explained  at  the  start  of  the  inooduction.  (In  fact,  similar  “proof  refinement”  methodologies  have  been 


^People  familiar  with  (he  Boyer-Moore  prover  will  correctly  guess  that  many  of  these  lemmas  were  thought  up  by  reading  failed  proof 
transcripts  and  thinking  about  what  might  be  useful  to  prove  as  rewrite  rules.  Others  were  discovered  by  crawling  around  through  terms 
using  PC-NQTHM. 
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implemented  in  systems  jneceding  PC-NQTHM  as  well,  for  example  LCF  [7]  and  its  “descendents”  HOL 
[8]  and  Nuprl  [S].)  In  the  PC-NQTHM  methodology,  the  user  starts  with  a  proof  state  consisting  of  a  single 
goal,  namely  the  goal  to  be  proved,  and  proceeds  to  create  new  proof  states  by  “refining”  goals  into  subgoals 
and  simplified  goals.  The  inoof  is  complete  when  all  goals  of  the  state  are  simply  T  (true).  Let  us  explain  this 
more  carefully  (but  still  infmmally). 

First  imagine  a  situation  where  one  has  a  foimula  in  some  logic  that  he  wishes  to  show  is  a  theorem.  One 
approach  would  be  to  replace  that  formula  with  a  list  new  formulas  whose  conjunction  implies  the  given 
formula.  (Such  a  step  may  be  called  a  “refinement  step”.)  The  resulting  formulas  are  then  the  g-tals  that 
remain  to  be  proved.  The  first  formula  in  this  list,  which  we  will  call  the  current  (or  top)  goal,  may  then  be 
similarly  refined  into  subgoals  that  imply  it,  leaving  one  with  those  new  goals,  together  with  the  existing  goals 
other  dian  that  current  goal.  Once  a  current  goal  is  simply  the  formula  T  (true),  it  is  replaced  by  the  empty  list 
of  goals.  One  would  hope  to  be  able  to  continue  this  process  until  there  are  no  goals  left,  in  which  case  one  can 
conclude  that  the  original  goal  is  a  theorem.  Such  a  sequence  of  steps  will  be  called  a  “proof’,  though  it  is 
perhaps  better  viewed  as  a  demonstration  that  a  proof  exists  in  that  logic. 

We  might  call  the  current  list  of  (as  yet  unproved)  goals  the  “current  proof  state”.  However,  imagine  a 
slightly  more  general  paradigm  in  which  a  proof  state  consists  not  only  of  unproved  goals  but  also  of  a  list  of 
variables  called  the  free  variables  of  that  proof  state.  The  idea  is  that  one  should  be  free  to  substitute  for  the 
free  variables.  For  example,  suppose  there  is  a  single  goal,  of  the  form  <  tj.  Gearly  it  suffices  to  find 
some  z  for  which  <  z  and  z  <  tj.  So,  it  should  be  legal  to  replace  the  current  goal  <  tj  with  a  list 
of  the  two  goals  <  z  and  z  <  tj,  with  the  stipulation  that  z  is  to  be  considered  free.  Then  if  we  are  able 
to  find  some  term  u  for  which  we  can  prove  <  u  and  u  <  tj,  then  we  will  be  allowed  to  substitute  u  for 
z  and  carry  out  that  proof. 

Suppose  a  proof  state  has  the  property  that  there  is  some  way  of  substituting  terms  for  its  free  variables, 
into  its  goals,  such  that  the  resulting  goals  are  all  theorem.  Such  a  proof  state  will  be  called  valid.  The  “key 
lemma”  for  a  proof  of  correctness  of  such  a  refinement-based  system  would  establish  that  each  refinement 
transformation  has  the  following  property:  whenever  the  new  state  is  “valid”  in  an  appropriate  sense,  then  the 
given  state  is  “valid”.  For  then  an  easy  induction  would  let  one  conclude  that  if  one  performs  a  series  of  such 
state  transformations,  starting  with  the  user’s  given  goal  and  resulting  in  a  state  where  all  goals  are  disposed  of, 
then  (as  such  a  final  state  is  presumably  “valid”)  the  original  state  is  “valid”  —  and  hence,  presumably,  the 
original  goal  is  a  theorem. 
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Such  a  refinement  system  may  have  a  number  of  legal  reHnement  steps,  so  for  a  correctness  result  of  the 
type  described  in  the  previous  paragraph,  one  would  have  to  prove  a  “key  lemma”  for  each  of  these.  We 
confine  ourselves  in  this  paper  to  such  a  proof  for  a  single  refinement  step  that  we  call  generalization.  The  idea 
is  that  if  one  wishes  to  prove  a  goal  g  containing  a  subterm  t,  it  should  be  legal  to  replace  t  in  g  by  a  new 
variable.  Standard  logics  have  the  property  that  if  the  result  is  a  theorem,  then  the  original  goal  is  a  theorem. 

There  is  a  subtlety  which  makes  this  correcmess  proof  not  completely  trivial,  namely,  generalization  in 
this  sense  is  not  sound  in  general,  i.e.  the  aforementioned  key  lemma  may  fail  to  hold.  The  problem  has  to  do 
with  fipee  variables,  and  examples  are  given  in  Subsection  4.1.  Rather  than  get  into  details  at  this  point,  let  us 
simply  state  that  there  is  a  way  to  define  generalization  so  that  it  is  correct  and  reasonable. 

The  main  theorem  in  this  paper  states  the  correcmess  of  a  formalization  of  generalization  in  this  context 

62.  Theorem.  CEMBRALZZS-IS-COIUtSCT 

g«n«rellza-okp(a9, atete)  a  valid-atata(ganazallza (ag,  atata) ) 

-»  valid-atata(atata) 

(IHPLISS  (AMD  (CEHEIULIZB-OXP  SC  STATE) 

(VALID-STATE  (GEMEKALZZE  SG  STATE))) 

(VALID-STATE  STATE)) 

Here  GENERALIZE -OKP  is  a  predicate  which  may  be  viewed  as  a  precondidon  under  which  the  user  is 
allowed  to  apply  the  GENERALIZE  refinement  rule.  We  also  prove  the  much  simpler  “sanity”  theorem, 
saying  that  if  generalization  is  legal  then  the  result  is  still  a  state.  WeTl  say  no  more  about  this,  except  to 
mention  that  it  could  be  useful  in  case  we  wish  (someday)  to  extend  the  current  theorem  to  handle  a  sequence  of 
PC-NQTHM-iike  commands. 

13.  Proposition.  GENERALZZE-STATEP 

(IMPLIES  (GEMEBALIZB-OKF  SG  STATE) 

(STATE?  (GENERALIZE  SG  STATE))) 

The  function  GENERALIZE  is  actually  rather  subtle,  and  the  proof  is  more  subtle  than  one  might  initially 
expect.  Our  approach  in  the  mechanized  proof-checking  exercise  was  to  break  this  theorem  into  major 
subtheorems,  some  of  which  were  broken  down  further,  and  so  on.  In  each  case  we  checked  that  the  theorem 
followed  from  its  subtheorems,  by  adding  the  subtheorems  as  (temporary)  axioms  and  running  the  Boyer-Moore 
theorem  prover  on  the  desired  theorem  (after  proving  minor  subtheorems  on  which  the  theorem  also  depends: 
these  are  omitted  in  the  diagram  below).  This  approach  will  appear  upon  inspection  of  the  file 
"generalize.events"  in  the  Appendix.  In  fact  this  top-level  structure  of  the  proof  is  rather  evident  upon 
inspection  of  the  final  file  "generalize.events  "  in  the  Appendix,  and  is  also  evident  in  the  structure  of  the  final 
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section  o(  the  paper.  Here  is  a  brief  summary,  for  convoiience.  We  refer  to  the  theorems  by  name  as  well  as  by 
the  numbers  associated  with  them  in  the  file  "generalize.events". 

g«naralis«-la-oorraat 

I 

■aln-tbaoraa-l 

I 

I 

aaitt-th«oxwB-l-oaaa-4 
/  \ 

/  \ 

aaln-bypa-aufflcsa 

/  \  /  \ 

/  \  /  \ 
auU.n-hypa-rallavad-5  maln-hypa-rallavad-<  /  \ 

/  \  Mln-hypa-auffioa-flrat  auiln-taypa-auffloa-raat 

/  \ 

/  \ 

■aln-hypa-r«llavad-6-firat  . aaln-bypa-xallavad-S-raat . 

/  I  \ 

/  I  \ 

/  ■ain-bypa-Eallaiv«d-6-raat-laBaw-2  \ 

■aln-bypa-rallavad-6-raat-laaBa-l  aialn-bypa-raliavad-6-raat-ganarallzatlon 


1.4  Summary  of  the  rest  of  the  paper 


It’s  problematic  how  best  to  describe  a  proof  checked  with  the  Boyer-Moore  proven  The  appendix  at  the 
end  of  this  report  contains  a  complete  list  of  events,  including  supporting  events  about  sets,  alists,  terms,  and 
proof  theory.  However,  most  readers  will  only  find  this  list  helpful  for  reference,  at  best  In  the  paper  proper 
we  outline  a  proof  of  the  main  theorem  with  a  liberal  amount  of  explanation.  The  development  will  refer  to 
events  in  the  agtpendix,  but  (as  indicated  above)  will  also  display  the  events  using  conventional  mathematical 
notation.  Therefore,  familiari^  with  Lisp  notation  is  not  a  prerequisite  for  being  able  to  follow  the  treatment 
here.  There  actually  is  one  exception  that  we  mention  now:  semicolons  (;)  denote  the  start  of  comments,  so 
that  all  characters  from  a  semicolon  up  to  the  end  of  the  line  should  be  viewed  as  informal  comments  only. 


The  following  section  (Section  2)  presents  the  underlying  logical  preliminaries  such  as  the  notion  of  term. 
That  is  followed  by  a  presentation  in  Section  3  of  some  basic  but  important  lemmas  about  these  notions. 
Section  4  then  presents  further  notions  specific  to  the  theorem  in  question,  culminating  with  a  statement  of  that 
theorem.  Finally,  Section  5  contains  a  proof  of  the  theorem  that  closely  follows  the  mechanically<hccked 
proof.  Thus,  one  may  view  the  final  section  either  as  being  simply  an  informal  proof  of  the  theorem  in  English 
or  as  being  a  guide  to  the  mechanically-checked  proof. 


The  appendices  contain  four  files  of  events  that  replay  in  the  Boyer-Moore  theorem  prover  as  extended  by 
notions  of  theories  and  LET  notation  (as  described  in  [10]),  first-order  quantifiers  (as  described  in  [12]),  and 
functional  variables  (as  described  in  [4]).  The  first  three  of  these  sequences  of  events  can  be  viewed  as  basic 
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supporting  libraries,  corresponding  to  Sections  2  and  3  below.  The  last  file  may  be  viewed  as  the  proof  proper, 
including  relevant  definitions,  and  thus  corresponds  to  the  final  two  sections  below. 

2.  Basic  Notions 

This  section  presents  a  number  of  primidve  notions  such  as  those  of  a  variable,  a  term,  and  a  substitution. 
Though  these  ate  quite  standard,  we  state  here  the  definitions  of  these  notions  used  in  the  mechanically<hecked 
proof  development.  We  divide  into  subsections  corresptmding  to  the  event  files  ”sets.events",  "alists.events", 
and  "tams.events",  all  of  which  may  be  found  in  the  Appendix,  where  complete  definitions  may  be  found.  A 
brief  introduction  to  the  Boyer-Moote  logic  and  to  some  of  our  conventions  in  this  paper  may  be  found  in 
Subsection  1.1  above. 

2.1  Sets 

The  event  file  "sets.event8"  forms  the  lowest-level  foundation  for  our  proof  development.  Here  is  a  brief 
and  very  informal  description  of  some  of  the  functions  defined  in  that  file.  The  reader  is  referred  to  the 
Appendix  for  the  actual  defmitions  and  for  a  number  of  basic  lemmas.  For  convenience  we  indicate  ordinary 
mathematical  notation  which  ‘'corresponds”  to  these  notions.  The  correspondence  isn’t  quite  accurate  since  we 
will  feel  free  to  ignore  the  distinction  between  sets  and  lists  for  this  purpose. 

•  (LENGTH  L)  or  1 1 1 :  the  number  of  elements  in  the  list  L 

•  (SUBSET?  X  T)  or  X  c  IT  equals  T  if  every  member  of  the  list  z  is  a  member  of  the  list  y, 
otherwise  returns  F 

•  (DELETE  X  L)  orl  \  (x):  the  result  of  deleting  the  first  occurrence  of  X  from  the  list  L 

•  (DISJOINT  X  Y)  orx  n  y  s  0;  equals  T  if  X  and  Y  share  no  common  member,  else  F 

•  (INTERSECTION  X  Y)  or  x  n  y:  the  subsequence  of  the  list  x  consisting  of  members  of  the 
listy 

•  (SET-DIFF  X  Y)orx  \  y;  the  subsequence  of  the  list  x  obtained  by  removing  members  of 
the  list  y 

•  (SET?  X)  orsatpfx):  equals  T  if  the  list  x  contains  no  duplicates,  else  F 

•  (MhKE-SET  X)  or  make-set  (x) :  a  list  with  no  duplicates  that  has  the  same  members  as 
does  X 

2.2  Alists 

Here  is  a  brief  and  very  informal  description  of  some  of  the  functions  defined  in  the  file  "alists.events". 
The  reader  is  referred  to  the  Appendix  for  the  actual  defmitions  and  for  a  number  of  lemmas. 

•  (ALISTP  X)  or  alistp  (x) ;  equals  T  if  x  is  an  association  list  {alist),  i.e.  a  list  of  ordered 
pairs 

•  (DOMAIN  MAP)  or  domain  (map) :  a  list  of  all  first  components  of  ordered  pairs  from  map 

•  (RANGE  MAP)  or  range  (map) ;  a  list  of  all  second  components  of  ordered  pairs  from  MAP 
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•  (VALOE  X  MAP)  or  map  (x) :  the  second  component  of  the  first  ordered  pair  in  map  whose 
first  component  is  x;  we  speak  of  this  as  being  the  value  associated  with  x  in  map 

•  (INVERT  MAP)  or  map~^:  returns  the  alist  obtained  by  switching  the  first  and  second 
components  of  every  ordered  pair  belonging  to  map. 

•  (MAPPING  NAP)  or  mapping  (map) ;  equals  T  if  map  is  an  alist  whose  domain  has  no 
duplicates,  else  P 

•  (RESTRICT  S  NEH-DOMAIN)  or  S  |  new-domain;  the  subsequence  of  a  consisting  of 
pairs  whose  first  components  are  members  of  new-domain. 

•  (CO-RESTRICT  S  NEW-DQMAIN)  or  S  |  new-domain;  the  subsequence  of  a  consisting 
of  pairs  whose  first  components  are  not  members  of  new-domain. 

23  Terms 

One  typically  defines  the  notion  of  term  by  recursion;  a  term  is  either  a  variable  or  the  application  of  a 
function  symbol  to  a  list  of  terms  (of  an  appropriate  length).  Our  formal  definitions  of  term  and  of  various 
auxiliary  notions  will  parallel  this  informal  recursive  one.  This  subsection  is  a  summary  of  the  file 
"teims.events”,  which  may  be  found  in  the  Appendix. 

We'll  begin  with  the  notion  of  a  variable.  We  could  define  the  function  VARIABLEP,  thus  specifying  it 
as  a  unique  function.  However,  we  prefei  to  add  an  axiom  asserting  only  some  reasonable  properties  of  this 
function,  so  as  not  to  over-specify  the  notion  of  variable.  Since  the  act  of  simply  adding  an  axiom^  does  not 
guarantee  in  general  that  the  resulting  theory  is  consistent,  instead  we  will  use  an  extension  of  the  Boyer-Moore 
logic  reported  in  [4]  which  allows  an  event  form  called  CONSTRAIN.  Perhaps  the  best  way  to  explain 
CONSTRAIN  is  in  the  context  of  the  example  displayed  below.  The  event  below  has  name  VARIABLEP- 
INTRO,  and  the  designation  (REWRITE)  indicates  that  it  is  to  be  stored  as  one  or  more  rewrite  rules.  It  asserts 
that  no  LISTF  object  (i.e.  ordered  pair)  is  a  variable,  and  that  VARIABLE?  returns  a  boolean  value.  The  last 
argument  of  CONSTRAIN  below,  namely  ( (VARIABLE?  NLIST?) ) ,  insUucts  the  system  to  show  that  this 
axiom  is  consistent  by  showing  that  it  holds  when  VARIABLE?  is  replaced  by  the  function  NLIST?  (which  is  a 
predicate  holding  of  objects  that  are  not  ordered  pairs).  Thus,  we’ll  refer  to  this  argument  of  a  CONSTRAIN 
event  as  the  witnessing  alist.  In  fact,  use  of  CONSTRAIN  guarantees  more  than  consistency  -  it  guarantees 
conservativity,  in  that  no  new  theorems  can  be  proved  for  the  existing  history  in  the  presence  of  this  axiom  (see 
[4]  for  more  on  this). 


with  the  Boyer-Moore  event  type  ADD-AXIOM 
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Introduction  VMtZABLBP. 

-<  v«riabl«p«n,b>)  a  (varlablap  (x)  •  t  v  vnrinbl*p(x)  ■  7) 

(COMSTR&IM  VARXABLEP-ZHTRO  (REHRITB) 

(AKD  (mPUBS  (LISTP  X) 

(NOT  (VXRl&BUa  X))) 

(OR  (IROZP  (VARIABLEF  X}) 

(FALSSP  (V&RIABLSP  X)))) 

((VXRZABLB7  NLISTP))) 


The  function  VARIABLE-LISTP  recognizes  lists  of  variables.  We  use  the  standard  mechanism  for 

representing  quantification  over  lists  in  the  Boyo'-Moore  logic,  namely,  primitive  recursion. 

Definition  of  vaRIXBU-LISTP 

varlabla-llstp (x)  ■  (V  v  e  x)  vaxlabl«p(v) 

(DE7M  VXSZaBU-LZSTP  (X) 

(17  (LISTP  X) 

(AND  (VASIABLXP  (CAR  X)) 

(VARXABLB-LZSTP  (CDR  X))) 

(B(2UAL  X  NIL))) 

The  next  notion  auxiliary  to  the  notion  of  term  is  that  of  a  function  symbol.  It  is  not  important  for  the 

development  that  follows  to  know  anything  about  the  notion  of  a  function  symbol  except  that  there  is  at  least 

one  0-place  function  symbol  (i.  e.  constant  symbol),  which  we  call  (FN).  Below  is  the  appropriate 

CONSTRAIN  event,  which  introduces  FUNCTION-SYMBOLP  and  FN  and  asserts  that  (fn)  is  a  function 

symbol.  Notice  that  the  “witnessing  alist”  suggests  that  the  prover  check  this  axiom  with 

FUNCTION- SYMBOL-F  replaced  by  LITATOM  and  with  FN  replaced  by  the  constant  function  that  returns  the 

literal  atom  '  ZERO. 

Introduction  <f  7UNCTI0N-SYMB0L-P . 

Ltl  (FN)  be  an  arbitrary  function  symbol,  where  for  examine 
(FN)  couUtbe  'ZERO  and  FUNCTION-SYMBOLP  could  be  LITATOM. 

(CONSTRAIN  FUNCTION-STMBOL-INTRO  (REWRITE) 

(FUNCTION-STMBOL-P  (FN) ) 

(  (Ft7NCTION-SYKBOL-P  LITATOM) 

(FN  (LAMBDA  ()  'ZERO)))) 

Now  in  order  to  define  the  notion  of  a  term  one  has  to  define  the  notion  of  a  list  of  terms  as  well.  We  will 
define  these  using  mutual  recursion,  employing  a  standard  trick  for  representing  mutually  recursive  definitions 
in  the  Boyer-Moore  logic:  if  FLG  is  not  F  then  (TBRMP  FLG  X)  asserts  that  X  is  a  term  (informally, 
teeinp(z)),  and  otherwise  (TERM?  FLG  x)  asserts  that  X  is  a  list  of  terms  (informally, 
tezmp-list  (x) ).® 


^Some  Boyer-Moore  prover  u«en  liice  to  uie  ’LIST  and  T  for  l)>e  two  explicitly-mentioned  values  of  the  FLG  parameter  in  such 
situations.  However,  we  found  that  a  heuristic  for  defeating  excessive  backchaining  was  defeating  some  of  our  rewrite  rules  in  that  case. 
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Oerinitian  of  TSBMP  (atid  tarmp-llst) 

taznp  (x)  ■ 

[  vaxlabl*p(x)  v 
taxa^  (y^)  a  ...  a  tarnp  (y^) 

whore  x  is  <t  ...  y^>  and  funatlon-aynbolp(f)  ] 
taxqp-llat «y^,  ...  y^>))  ■  [t«xap(y^)  a  ...  a  t«ra9(yj] 

(OBFH  IBRMP  (FL6  X) 

(nr  FLG 

(IT  (VXSIXBLBP  X) 

t 

(IF  (LISTF  X) 

(AMD  (FOMCTIOM-SYMBOL-P  (CAR  X) ) 

(TERMP  F  (CDR  X)  )  ) 

»)) 

(IF  (LZSTP  X) 

(AMO  (TXRMP  T  (CAR  X) ) 

(TSRMF  F  (CDR  X) ) ) 

(XQOAL  X  MIL)  )  ) ) 


The  function  ALL-VASS  letums  a  list  of  all  variables  in  x.  where  x  is  a  term  if  fig  is  not  F  and  a  list  oS  terms 
if  fig  is  F).  It  does  not  bother  to  eliminate  duplicates. 

Definition  of  AU-VARS 


tfx  is  a  term,  then 

xll-vxra(x)  ■  (x)  if  x  is  a  variable,  else 

u  (xll-vxra  (y)  :  y  is  an  argument  of  x) 

«ll-v«ca(<x^,  ...,  x,>)  ■  o  («ll-vxx*(x^) :  1  S  i  S  n) 

(OEFM  ALL-VARS  <FLC  X) 

(IF  FLS 

(IF  (VARIABLBF  X) 

(LIST  X) 

(IF  (LIST?  X) 

(ALL-VARS  F  (CDR  X)  ) 

HIL)) 

(IF  (LIST?  X) 

(AFFEMD  (ALL-VARS  T  (CAR  X)) 

(ALL-VARS  F  (CDR  X))) 

MIL) ) ) 


We  also  need  to  implement  some  notion  of  instantiation.  A  substitution  is  essentially  a  function  that 
maps  terms  to  terms,  represented  as  a  list  of  term  pairs.  Of  particular  interest  is  the  class  of  variable 
substitutions,  where  the  domain  consists  of  variables: 

Definition  of  VAR-SUBSTF 

var-aubatp(a)  a  aapplng(a)  a  variabla-llatptdoinain (a) )  a  tarngi-liat  (ranga (a) ) 

(DEFN  VAR-SUBSTF  (S) 

(AMD  (MAPPING  S) 

(VARIABLB-LISTP  (DOMAIN  S)  ) 

(TERMP  F  (RANGE  S)))) 

Given  a  substitution  s  (not  necessarily  a  variable  substitution),  we  define  the  instantiation 


X  /  a 
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of  a  term  (or  term  list)  z  under  the  substitution  s  as  follows.  Notice  that  we  follow  the  usual  convention  with 
respect  to  the  parameter  fig,  namely  if  fig  is  F  then  z  is  a  list  of  terms,  and  otherwise  z  is  a  single  term. 

Definition  of  SDBST 


// 

X 

is  alarm,  than: 

X 

/  • 

-  a (X)  f 

X  €  doaaln(a);  alsa. 

*  if 

varlablap  (X) ;  alsa. 

<f  Yj/a  . 

•  •  y,/«>  ^  *  *»  Fi 

// 

X 

is  a  list  <y^ 

_ 7^>  ot  tmzMM,  lhaa 

X 

/  ■ 

-  <yj/a  . . . 

y,/»> 

(DEFM 

SUBST  (FLG 

S  X) 

(IF 

FLG 

(IF  (MEMBER  X  (DOMEZII  S) ) 

(VALUE  X  S) 

(IF  (VARX&BLEF  X) 

X 

(IF  (LZSXP  X) 

(COME  (CAR  X) 

(SUBST  F  S  (CDR  X))) 

;;  siUy  impoMsibU  vaiut  cjfF far  Htm-urmp 
F))) 

(IF  (LZSIP  X) 

(COME  (EUBET  T  E  (CAR  X) ) 

(EDBET  F  E  (CDR  X)  )  ) 

MIL))) 


The  following  simple  fact  is  one  of  many  obvious  facts  that  need  to  be  proved.  It  says  that  the  property  of  being 

a  term  (or  term  list,  if  FL6  is  F)  is  preserved  by  the  aj^lication  of  a  substitution. 

Lenuna.  TERMF-SUBST 

[tnnptx)  A  t«tnp-llat(r>ng«(a))]  -»  taea^tx/a) 

[taxnp*'IIat  (x)  a  taxa«>-liat  (rangn  (a) ) )  -*  taen^-llat  (x/ a) 

(IMPLIES  (AMD  (TERMP  FL6  X) 

(TERM?  F  (RANGE  S) ) ) 

(TERMP  FLG  (SUBST  FLG  S  X) ) ) 


Just  as  SUBST  is  used  to  apply  a  substitution  to  a  term,  the  function  APPLY-TO-SUBST  is  used  to  apply 
one  substitution  to  another  substitution,  i.e.  to  apply  a  substitution  si  to  each  term  in  range  of  another 
substitution  s2.  We  may  informally  write 
s2  //  si 


to  denote  the  application  of  si  to  s2  in  this  sense.  Formally,  we  have: 

DefiniUcn  of  APPLY-TO-SUBST 

a2  //  al  ■  (<x,y/al>:  <x,y>  e  a2}  . 

(DEFM  APPLY-TO-SUBST  (SI  S2) 

(IF  (LISTP  S2) 

(IF  (LISTP  (CAR  S2)) 

(COHS  (COHS  (CAAR  S2)  (SUBST  T  SI  (CDAR  S2) ) ) 
(APPLY-TO-SUBST  SI  (CDR  S2) ) ) 
(APPLY-TO-SUBST  SI  (CDR  S2))) 

MID) 
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We  may  now  defme  the  composition  of  substitutions  si  and  82,  which  we  write  as  (si  •  82) .  This  is 
the  substitution  that,  when  applied  to  a  term,  is  the  same  as  the  result  of  first  applying  the  substitution  si  and 
then  the  substitution  82.  Let  us  display  the  defmition  of  composition  first  in  informal  notation  and  then  in 
formal  notation.  (Here  is  a  minor  detail  fOT  those  familiar  with  the  Boyer-Moore  logic  or  Lisp:  the  defmition  of 
COMPOSE  in  the  Boyer-Moore  logic  may  safely  use  APPEND  rather  than  UNION  because  the  function  value 
only  looks  for  the  first  occurrence  of  the  key  for  which  the  value  is  to  be  found.) 

Definilioo  cf  CMPOSB  (•) 

•1  •  a2  •  (al  H  m2)  Kj  (<x,y>  e  m2:  x  t  doaalo(al)}. 

(DBFir  COMPOSE  (SI  S2) 

(aPPBMD  (aPPLT-TO-SOBST  S2  SI) 

32)) 

The  following  lemma  shows  that  COMPOSE  behaves  similarly  to  ordinary  function  composition.  We  write  the 

lemma  both  in  informal  and  in  formal  notation. 

Lemiiui.  cmsOSS-PSOSSRTy 

varlabla-liatp(doaaln(a2) )  a  Ctaraip(x)  v  taxnp-liat  (x)  ] 

(X  /  al)  /  m2  m  X  /  (al  •  a2) 

(IMPLZBS  (SUD  (VlKiaBLB-LlSTP  (DOMaZM  32)) 

(TSSMP  rut  X)) 

(XQtnU.  (SUBST  ns  S2  (SUBST  rut  SI  X)) 

(SUBSl  ns  (COMPOSE  SI  S2)  X))) 


The  next  notion  illustrates  our  first  use  of  quantifiers  in  this  development  An  extension  of  the  Boyer- 
Moore  logic  and  prover  by  first-order  quantification  is  reported  in  [12].  Briefly,  the  idea  is  that  there  is  a  new 
event  DEFN-SK,  where  the  suffix  “-SK”  refers  to  Skolemization,  a  well-known  means  for  removing 
quantifiers  that  was  invented  by  the  logician  Thoralf  Skolem.  Every  DEFN-SK  event  in  fact  adds  quantifier- 
free  axioms  that  uniquely  define  the  indicated  function  symbol  in  a  conservative  extension  (cf.  2.3)  of  the 
existing  history.  The  DEFN-SK  event  below  asseits  that  TEltMl  is  an  instance  of  TERM2,  with  the  usual 
convention  that  FLG  indicates  whether  these  are  terms  or  term  lists. 

Definition  of  INSTANCE 

lnatanc*(t«nnl,t*xin2)  ■  (3  ■)  [var-aubstp(n)  a  (tarml  »  tmrm2/m)] 

(DEFN-SK  INSTANCE  (FLG  TERMl  TEHM2) 

(EXISTS  ONE-WAT-DNIFIER 

(AMD  (VAR-SUBSTP  ONE-NAY-DNIFIER) 

(EQUAL  TERMl  (SUBST  FLG  ONE-WAY-UNIFIER  TERM2)  ) )  )  ) 


In  fact  the  system  adds  the  following  axiom  to  “implement”  this  definition.  The  first  conjunct  gives  a 
student  condition  for  TERMl  to  be  an  instance  of  TERM2;  if  TERMl  is  the  result  of  substituting  a  variable 
substitution  ONE-WAY -UNIFIER  into  TERM2,  then  TERMl  is  an  instance  of  TERM2.  The  second  conjunct 
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gives  a  necessary  condition  for  TEBMl  to  be  an  instance  of  TERM2  (i.e.  gives  a  consequence  of 
instanc«(tariia,texin2)):  if  TEBMl  is  an  instance  of  TSItM2  then  (ONE-WAY-UNIFIER  FLG 
TERMl  TERM2}  is  a  variable  substitution  such  that  TESMl  is  the  result  of  instantiating  TERM2  with  this 
substitution.  Let  us  state  the  axiom  both  in  infonnal  and  in  formal  notation.  In  the  informal  version  we  will 
write  the  second  conjunct  in  the  natural  order  rather  than  the  contraposed  order  of  the  formal  version  (which  is 
stated  that  way  for  technical  reasons  related  to  rewriting).  The  function  ONE-nay-UNIFIER  is  what  is 
generally  called  a  Skolem  function,  in  that  its  only  given  property  is  that  it  provides  a  wimess  (in  this  case,  to  the 
existence  of  an  appropriate  substitution). 

Axiom  added  for  msxaHCB 

[  (vax-mibatp (a)  a  tazal  ■  taxB2/a)  -»  inatanoa  (taxad, taxB2)  ] 

A 

[Inatanoa (taxad,  taxai2)  -*  (var-aobatp(aO)  a  taral  >  taxad/aO)  ] 

where 

aO  •  ona-way-unlflax(taxml,taxB2) 

(AND  (IMPLZSS  (Juro  (VUt-SUBSTP  OHH-NAT-OHIFIBR) 

(HQIttL  TERMl 

(SOBST  PliS  OMB-NXY-ONZFXXR  TERM2))) 

(IMSIXMCB  VhB  TERMl  TBRM2) ) 

(IMPLIES  (NOT  (AMD  (VAR-SUBSTP  (ONE-tOtY-DNIFIER  FLS  TERMl  TBRM2) ) 

(EQUAL  TERMl 

(SUBST  na 

(ONE-WAY-UNIFIER  FLS  TERMl  TERM2) 

IERM2)))) 

(NOT  (INSTANCE  FLS  TERM!  TERMS)))) 


Our  final  definition  from  "terms-events"  is  rather  idiosyncratic  to  the  ^plication  at  hand;  it  will  be  used  to 
construct  a  substitution  that  is  used  in  the  proof  of  the  main  theorem,  nulllfy-subst  (s)  is  a  substitution 
that  maps  the  domain  of  S  to  the  constant  term  (FN) . 

Detinition  of  MULLIFY-SUBST 

nulllfy-aubat  (a)  •  {<x,c>:  <x,y>  €  a) 

where  c  is  a  fixed  constant  symbol 

(DEFN  NULLIFY-SUBST  (S) 

(IF  (LISTP  S) 

(IF  (LISTP  (CAR  S)) 

(CONS  (CONS  (CAAR  S)  (LIST  (FN) ) ) 

(NULLIFY-SUBST  (COR  S) ) ) 

(MULLIFY-SUBST  (COR  S)  ) ) 

NIL)) 


3.  Some  Basic  Supporting  Lemmas 

In  order  to  complete  our  mechanically-checked  proof  of  the  main  theorem,  we  required  a  number  of 
lemmas  about  the  notions  inu^uced  above.  We  present  some  of  those  in  this  section,  for  two  reasons.  First, 
these  lemmas  give  a  flavor  of  the  kinds  of  lemmas  that  appear  in  the  libraries  for  this  effort  -  "sets.events", 
"alists.events",  and  "tcrms.events"  -  and  more  generally,  in  other  libraries  as  well.  Second,  we  refer  to  the.se 
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lemmas  in  some  of  the  proofs  that  come  later,  but  do  not  wish  to  clutter  the  exposition  there  with  such  trivial 
considerations.  By  the  way.  this  is  meant  to  be  a  representative  list,  not  an  exhaustive  one. 

The  first  lemma  says  that  application  of  a  substitution  does  not  affect  the  domain. 

Lemma.  DOMtIIl-aPPLT-fO-SOBST  yVom 'temu.eventi'' 

domain (a2  //  al)  ■  domain (a2) 

(IQOU.  (DOiaZIl  (APSLT-TO-StmST  SI  S2) ) 

(Doani  s2)) 


The  next  lemma  says  that  a  substitution  has  no  effect  when  its  domain  contains  no  variables  occuring  in 
the  term  to  which  it  is  igtplied. 

Lemma.  SOBST-VOT-OCCOR  (/^om  "teimioveau'') 

(tazap(x)  V  tarap-llat (x) }  a  vaxlabla-llatp(doamln(a) )  a  doamln(a)  n  all-vaxa(x) 

-*  x/a  -  X 

(IMPLIES  (AMD  (TBEMP  TUS  X) 

(VABIABLB-LIStP  (DOMAIN  S) ) 

(DISJOINT  (DOMAIN  S)  (ALL-VASS  PLS  X))) 

(EQUAL  (SOBST  PLS  S  X)  X)) 


The  foUowing  lemmas  say  that  there  is  no  effect  when  restricting  (respectively,  co-restricting)  a 
substitition  s  to  a  subset  z,  as  long  as  all  of  the  variables  of  the  term  taxm  u>  which  s  is  applied  belong  to 
(repectively,  do  not  belong  to)  x  (In  fact,  they  say  that  it  is  sufficient  that  none  of  those  variables  belong  to 
X  n  domain  (a) .) 

Lemma .  SUBST-KBSTRICT  (from  'teims.evenU'') 

(  doBmln(s)  ri  all-vara  (tara)  c  x  a 
variabla-llatp (domain (a) )  a 
[tanq>(tan>)  v  taraqp-llat  (taxm)  ]  ) 

— >  taxm  /  (X  I  a)  ■  taxm  /  a 

(IMPLIES  (AMD  (SUBSETP  (INTERSECTION  (DOMAIN  S)  (ALL-VARS  FLO  TERM)) 

X) 

(VARIABLE-LISTP  (DtEOIN  S) ) 

(TERMP  FLO  TERM)) 

(EQUAL  (SUBST  FLO  (RESTRICT  S  X)  TERM) 

(SUBST  FLO  S  TERM)))) 

Lemma.  SUBST-CO-RESTRICT  (/Vom  "teims-evenu") 

(  X  n  domain  (a)  n  all-vara  (taxm)  •  0  a 
varlabla-liatp (domain (a) )  a 
[taxa^  (tarm)  v  taxiqp-liat  (tarm)  ]  ) 

-*  tarm  /  (x  |-  a)  •  taxm  /  a 

(IMPLIES  (AMD  (DISJOINT  X 

(INTERSECTION  (DOMAIN  S)  (ALL-VARS  FLO  TERM)  )  ) 

(VARIABLE-LISTP  (DOMAIN  S)  ) 

(TERMP  FLO  TERM)  ) 

(EQUAL  (SOBST  FLO  (CO-RESTRICT  S  X)  TERM) 

(SOBST  FLO  S  TERM))) 
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Two  related  lemmas  say  that  one  can  drop  a  part  of  a  subsitution  whose  domain  does  not  intersect  the 
term  in  question. 

Lemma.  SUBST-UPBHD-MOT-OCCUR-l  ’teimt.evenu''; 

[  (taxo^tx)  V  taxaf>-llat  (x) )  a 
vaxiabla-llstp (doamln ( si ) )  a 
sll-vsxs(doamln(sl) )  n  sll-vsrs(x)  «  0  ] 

X  /  (si  u  m2)  m  X  /  s2 

(IMPLZSS  (AMD  (TIRMP  WIG  X) 

(VAKIABU-USTP  (DOMAIM  Sl) ) 

(DISJOZMT  (ALL-VARS  W  (DOKAZII  SI)) 

(ALL-VARS  FLS  X))) 

(XQUAL  (SUBST  WUS  (APPKHD  SI  S2)  X) 

(SOBST  PLe  S2  X))) 

Lemma.  St>BST-APPXIID-MOT-OCCDR-2  (from"ieaiu.eyeDti") 

[  (taxap(x)  V  taxap-llst (X) )  a 
▼sxlabla-llstp (dosmln (s2) )  a 
sll-vsxs(daamln(a2) )  n  sll-vsrs(x)  >  0  ] 

X  /  (sl  u  a2)  -  X  /  sl 

(ZMPLXXS  (AMS  (TXRMP  PLG  X) 

(VARZABLB-LISTP  (DtMIAZX  S2) ) 

(DISJOIMT  (ALL-VARS  F  (DOMAIN  S2)) 

(ALL-VARS  FLC  X))) 

(XQUAL  (SOBST  FLS  (APPEND  Sl  S2)  X) 

(SUBST  FLS  Sl  X))) 


The  following  rewrite  rule  is  kept  in  a  disabled  state,  meaning  that  it  is  not  used  by  the  Boyer-Moote 
prover  except  when  a  hint  is  given  to  enable  this  rule.  It  is  very  useful  when  trying  to  prove  that  two  lists  do  not 
intosect,  because  it  reduces  that  problem  to  the  problem  of  showing  that  nothing  can  belong  to  both  lists. 
Functions  such  as  DISJOZNT-HIT  are  often  called  definable  Skolem  functions  in  that  they  provide  wimesses 
to  existential  assertions  (when  (hey  hold),  in  this  case  the  assertion  that  x  and  y  are  not  disjoint.^ 

Lemma  DISJOZNT-NZT-WZINBSSES  (from  'seu.evenu'; 

X  n  y  ■  0 

a  -■  [  dis joint -wit  (x,y)  «  x  a  dla joint -wit  (x.y)  e  y  ] 

(EQUAL  (DISJOINT  X  T) 

(MOT  (AND  (MEMBER  (DISJOINT-WIT  X  T)  X) 

(MEMBER  (DISJOINT-WIT  XT)  Y)  )  )  ) 

The  following  lemma  points  out  the  obvious  relationship  between  the  domain  of  a  restriction  with  the 
domain  of  the  given  substitution. 


*The  function  DISJOINT-WIT  is  actually  defined  by  recunion  in  "sets.eventi".  The  idea  of  using  definable  Skolem  functions  in  the 
Boyer- Moore  prover  was  brought  to  our  attention  by  Ken  Kunen. 
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Lemma  OOMLZII-RBSTRICT  (from  'aliiu.evenu'*) 

domain  (a  |  dom)  ■  domain  (a)  n  dom 

(IQOAL  (DOiOIN  (RXSTRZCT  S  DOM)) 

(IHTBRSZCTIOH  (DOM&ZM  S)  DOM)) 


The  remaining  lemmas  are  also  rather  technical,  so  we  prefer  to  liist  them  without  cmnment  here. 

Lemma.  aPPLT-TO-SUBST-IS-1IO-OP-rOR-DXSJOZire-DOMU)l  (from''tttaa.eyeatt") 

▼arlablo-llatp(doamln(al) )  a  doamln(al)  n  all-vara(rang*  (a2) )  ~  0 
->  a2  //  al  ■  a2 

(IMPLXZ8  (AMD  (VARZABU-LXSTP  (DOMAXM  SI)) 

(ALZSXV  S2) 

(nmp  w  (loHCB  S2)) 

(DZSJOZMT  (DONAZM  SI) 

(ALL-VASS  f  (RAMSS  S2) ) ) ) 

(■gOAL  (ASPtr-VO-SOBST  SI  S2)  S2)) 

Lemma.  VALOI-ZIlVnT-MOT-MIMBBR-OP-DOMAZV  ’alifU-eveatt") 

9  e  rangmtag)  a  domain  (a)  n  doauUlntag)  >  0 
-»  ag'^tg)  C  domain  (a) 

(ZMPLXSS  (AMD  (MSMBER  6  (RAMCB  SO)) 

(DISJOINT  (DOMAIN  S)  (DOMAIN  SO))) 

(NOT  (MEMBER  (VALOR  G  (INVERT  SC)) 

(DOMAIN  S)))) 

Lemma.  VALOE-APPLr-TO-SOBST  (from"tenat.eveBU’) 

g  e  domain  (a)  -*  (a  //  ag)  (g)  •  s(g)/ag 

(ZMPLXSS  (MBMBKR  G  (DOMAIN  S) ) 

(BOOAL  (VALOR  G  (APPLT*TO-SOBST  SG  S)) 

(SOBST  T  SQ  (VALOR  G  S)  ) ) ) 


The  following  obvious  fact  says  that  nullify-SUBST  does  not  alter  the  domain  of  a  given  substitution. 

Lemma.  DratAIN-MOLLIFT-SOBST  (^om  "tenni.evenu") 

domain  (nulllfy-aubat  (a) )  •  doa>aln(a) 

(EgOAL  (DOMAIN  (NOLLIFT-SOBST  S) ) 

(DOMAIN  S))) 


Here  is  another  important  property  of  HULLIFY-SUBST. 

Lemma.  DISJOINT-ALL-VARS-RANGE-APPLY-SOBST-NULLIFY-SOBST  (/rom  "tefms.evenls"; 
tarn^-llat  (ranga  (a) ) 

domain (ag)  n  all-vara (rang# (a  //  nulllCy-aubat (ag) ) )  »  0 

(IMPLIES  (TSRMP  P  (RANGE  S)  ) 

(DISJOINT  (DOMAIN  SG) 

(ALL-VARS  T 

(RANGE  (APPLY-TO-SOBST  (NOLLIFY-SOBST  SG) 
S))))) 
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4.  Statement  of  the  Main  Theorem 

In  this  section  we  state  our  main  theorem,  which  should  perhaps  be  called  a  “metatheorem”,  since  it’s  a 
theorem  about  formal  theorems.  The  definitions  in  this  section  are  all  taken  fnxn  the  file  "generalize.events", 
which  is  the  last  file  in  the  Appendix.  The  events  in  that  file  have  been  numbered,  and  we  give  those  numbers 
in  the  presentation  below. 

The  first  subsection  below  gives  an  outline  of  the  high-level  motivation  for  the  definitions  that  follow. 
This  is  followed  by  a  presentation  of  the  definitions  required  for  the  statement  of  the  main  theorem.  Some 
abbreviations  are  introduced  in  the  third  subsection.  We  conclude  by  stating  the  main  theorem. 

4.1  Motivation 

In  the  introduction  to  this  paper  we  discuss  the  original  motivation  for  this  woric,  which  was  to  increase 
our  confidence  in  the  correcmess  of  a  particular  algorithm  for  generalization  in  the  presence  of  free  variables. 
The  following  example  is  taken  from  the  final  section  of  [11].  It  shows  the  necessity,  for  soundness,  of  having 
some  resniction  on  how  the  GENERALIZE  command  interacts  with  the  set  of  free  variables  of  the  proof  state. 
Suppose  that  the  history  contains  the  rather  silly  (but  correct)  theorem  that  [z+l  <  z  -»  C]  for  some 
contradiction  C.  Then  to  prove  C,  it  suffices  to  prove  [  z<f  1  <  z]  for  some  z.  In  fact  z  here  is  what  we  call  a 
free  variable  in  PC-NQTHM;  this  designation  has  the  effect  of  allowing  us  to  instantiate  z  to  be  anything  we 
like.  Of  course  there  is  no  value  of  z  for  which  the  statement  [z+l  <  z]  is  a  themrem;  there  had  better  not 
be,  or  else  C  would  be  a  theorem!  But  suppose  we  allow  ourselves  to  generalize  this  goal  by  replacing  z+1  by 
some  new  variable,  say  a.  The  goal  then  is  [a  <  z] .  If  z  were  still  a  free  variable,  then  we  could  instantiate 
it  to  be  a+1,  which  would  leave  us  with  the  goal  [a  <  a-fl] .  But  this  goal  is  a  theorem,  which  is  supposed 
to  imply  that  the  original  goal  C  is  a  theorem  ~  yet,  C  was  chosen  to  be  a  conu^diction! 

One  way  around  such  a  problem  is  to  enforce  the  following  rule:  when  generalizing  with  a  substitution 
that  replaces  terms  with  corresponding  new  variables  (e.g.  replaces  z+1  with  a  in  the  example  above), 
the  system  removes  from  the  list  of  free  variables  any  variable  that  occurs  in  that  substitution  (e.g.  z  in  that 
example).  However,  we  can  avoid  removing  quite  that  many  free  variables  in  general.  The  idea  is  that  we  must 
at  least  remove  from  the  list  of  free  variables  those  variables  that  occur  both  in  the  new  current  goal  and  in  any 
of  the  terms  being  generalized  away. 

However,  that  set  alone  is  not  enough.  Consider  the  theorem 
[*+l  <WAW-1]  ->c 
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where  as  above,  C  is  contradictory.  Hie  to  prove  C  should  be  impossible,  but  we  can  do  it  if  we  can  prove 
‘'j^proiniate”  instances  of  the  two  goals  [z+1  <  w]  and  [w  »  z].  Here  “impropriate”  means  “via  some 
substitution  whose  domain  is  contained  in  the  set  of  free  variables  of  the  new  proof  state";  that  set  is  ( z,  w) . 
Afta  generalizing  [z+l]  as  in  the  previous  example,  we  have  the  two  goals  [a  <  w]  and  [w  «  z]. 
According  to  plan  outlined  just  above,  since  z  does  not  occur  in  the  current  goal  [a  <  w]  we  may  retain  it  on 
the  list  of  fiee  variables,  and  since  w  does  not  occur  in  the  term  [z+1]  that  was  generalized  away  we  may 
retain  it  on  the  list  too.  But  now  if  we  instantiate  both  w  and  z  with  a+1  then  we  can  prove  the  resulting  goals, 
a  contradiction. 

Here  is  an  informal  statement  of  the  main  result;  a  precise  statement  is  of  course  the  topic  of  the  rest  of 
this  Section.  This  material  is  adapted  &om  Subsectkm  4.3  of  [1 1].  We  defer  to  the  {soof  presented  in  Section  5 
below  further  motivation  behind  choices  made  here. 

•  Fix  a  proof  state  state,  i.e.  a  list  of  terms  (goals)  together  with  a  list  of  free  variables. 

•  Let  sg  be  a  variable  substitution. 

•  Let  state'  be  the  result  of  applying  the  GENERALIZE  command,  with  substitution  sg 
mapping  new  variables  to  terms.  Thus,  the  new  current  (top)  goal  is  the  result  of  substituting  the 
inverse  sg~^  of  sg  into  the  current  goal  of  state,  and  the  remaining  goals  are  unchanged. 

•  Let  nuBB  and  mSE '  be  the  respective  sets  of  free  variables  of  state  and  state ' . 

•  Consider  the  symmetric  binary  relation  Rg  defmed  on  FREE  as  follows;  Rq(v,w)  if  and  only  if  v 
and  w  occur  in  a  common  goal  of  state ' . 

•  Let  R  be  the  transitive  closure  of  Rg. 

•  Let  C  be  the  range  of  R  on  the  intersection  of  FREE  with  the  variables  of  the  current  goal  in 
state' . 

•  Let  V  be  the  set  of  variables  that  occur  in  the  range  of  sg. 

In  the  second  example  presented  above,  C  =  {z,  w)  and  v=(z),soC  n  v  =  (z).  With  this 
example  in  mind,  loosely  speaking  we  want  to  remove  from  free  the  set  (C  n  v)  consisting  of  all  variables 
from  FREE  that  both  occur  in  somewhere  in  the  terms  being  generalized  away  and  also  have  “anything  to  do 
with”  the  new  current  goal  (where  “anything  to  do  with”  is  defined  in  terms  of  the  equivalence  relation  R). 
The  precise  relationship  specified  between  FREE  and  FREE'  is  as  follows. 

FREE'  s  (FREE  \  (C  n  V) )  \  (domain  sg) 

Here  then,  finally,  is  what  we  need  to  prove.  It  says  that  if  the  state  is  “valid”  after  generalization  then  it 
was  already  “valid”,  where  “valid”  is  as  explained  in  Subsection  1.3:  some  instance,  where  only  free 
variables  are  instantiated,  is  a  theorem. 
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GENERALIZE  SOUNDNESS  THEOREM.  Let  6  be  the  cuirent  goal  in  proof  state  state;  let  P  be 
the  conjunction  of  the  rest  of  the  goals  of  state;  let  sg  be  a  substitution  moping  some  variables  not 
occurring  in  state  to  terms;  let  G'  =  G/sg~^  be  the  current  goal  in  the  new  proof  state  state' ;  and  let 
FBEX  and  FREB’  be  the  free  variables  of  state  and  state' ,  respectively.  Suppose  that  for  some 
substitution  s'  with  domain  contained  in  FREE' .  |  -  (G'  fi  P)  /s' .  Then  for  some  substitution  s  with 
domain  contained  in  FREE,  we  have  |  -  (G  £  P)  /s. 


An  informal  sketch  of  a  proof  of  this  theorem  is  outlined  in  [1 1].  Let  us  proceed  with  a  careful  and  rather 
formal,  but  (we  hope)  motivated  treatment 


4,2  Definitions  for  main  theorem 

Some  terms  are  theorems  relative  to  a  given  histcMy.  Here  is  the  axiom  that  we  introduce  to  capture  the 
essence  of  ‘'theoremhood”;  in  fact  this  is  the  only  axiom  we  introduce  about  the  notion  of  theorem.  As  in  the 
introduction  of  the  notions  of  variable  and  function  symbol  in  Subsection  2.3,  we  use  the  CONSTRAIN 
mechanism  to  guarantee  the  consistency  of  these  axioms.  The  first  conjunct  says  that  every  theorem  is  a  term. 
The  second  says  that  every  instance  of  a  theorem  by  a  variable  substitution  is  also  a  theorem. 

1.  Inciodactian  cf  THKORSM. 

[tb*er«a(x)  -*  taroptx)] 

A 

C(th«or«a(x)  a  var-aufastp (x)  )  ->  -»  thaoraalx/a)  ] 

(COHSTRAIII  TBEORXM-INTRO  (RBNRITX) 

(am)  (XMPLZX8  (AMD  (THKORSM  X) 

FLO) 

(TERMP  FL6  X)) 

(IMPLISS  (AMD  (THEOREM  X) 

rut 

(VAR-SUBSTP  S)) 

(THEOREM  (SDBST  FLO  S  X)))) 

((THEOREM  (LAMBDA  (X)  F)  ) )  ) 


The  corresponding  notion  of  a  list  of  theorems  is  obvious,  and  has  properties  (not  listed  here;  see  event  #3  in  the 

Appendix)  analogous  to  those  for  THEOREM  in  the  event  above. 

2.  Dermition  of  THEOREM-LIST 

thaoram-llat  (x)  ■  (V  y  e  x)  tb«or«ai(y) 

(DEFM  THEOREM-LIST  (X) 

(IF  (LIST?  X) 

(AMD  (THEOREM  (CAR  X)) 

(THEOREM-LIST  (CDR  X))} 

(EQUAL  X  NIL))) 


Next  we  wish  to  turn  to  the  notion  of  a  proof  state,  which  is  essentially  a  list  of  goals.  We  want  to  model 
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a  proof  development  methodology  similar  to  the  one  in  PC-NQTHM,  as  explained  in  the  introduction, 
especially  Subsection  1.3.  That  is,  we  model  a  proof  state  as  an  ordered  pair  (a  LISTP)  consisting  of  a  term  list 
(intuitively,  a  list  of  goals)  together  with  a  list  of  variables  (intuitively,  the  free  variables  of  that  proof  state). 

4.  Definitiaa  of  SXATBP 

■tatap<<go«ls,  frM>)  ■  tanp-llat  (goals)  a  variabla-llatp  (fro*) 

(DEFH  STATBP  (STAXB) 

(AMO  (LXSSP  STATE) 

(TBKie  7  (CAR  STATS)) 

(VARZABLB-LXSTP  (COR  STATE)))) 

In  order  to  state  our  main  theorem  we  need  a  notion  of  valid  state.  This  definition  captures  the  corresponding 
notion  defined  in  [11],  namely,  a  valid  state  is  a  state  with  the  following  property:  for  some  variable 
substitution  on  a  subset  of  the  free  variables  of  the  suue.  if  one  substitutes  that  substitution  into  the  goals  of  the 
state  then  the  results  are  theorems.  (The  event  type  “DEFN-SK”  is  discussed  above  with  the  definition  of 
INSTANCE.) 

5.  Defmitian  o/ VALZD-STATE 
valld-atata  (<goala,  frM-vars>)  ■ 

(3  a)  (vac-aubatp(a)  a  domain (a)  c  Traa-vara  a  thaoram-llat (goala/a) ) 

(DE7N-SK  VALID-STATE  (STATE) 

(AMD  (STAIEP  STATE) 

(EXISTS  WITMESSZMC-ZMSTAMTZATIOR 

(AMD  (VAR-SDBST7  WITNESSING-IMSTAMTIATIOH) 

(SDBSETP  (DOMAIN  faTNESSXMC-IMSTAMIIATION)  (CDR  STATS) ) 

(TBBORSM-LZST  (SDBST  7  NZTMESSZMG-ZNSTANTZATZOM  (CAR  STATS) ))))>) 

This  definition  adds  a  Skolem  function  WITNESSING- INSTANTIATION.  This  function  may  be  thought  of  as 
picking  out  a  substitution  which,  when  applied  to  the  goals  of  a  given  valid  state,  yields  a  list  of  theorems.  Here 
is  the  axiom  added  by  the  system  for  the  DEFN-SK  event  above.  As  with  the  previous  DEFN-SK  event 
introducing  the  function  INSTANCE,  this  property  of  the  wimess  is  expressed  by  the  second  conjunct  in  the 
following  axiom  (which  is  stated  in  the  contrapositive  in  the  formal  version,  for  technical  reasons). 
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Axkni  aditdfor  VUtlD-STJkTB 

[  (  •t*t«p(stata)  A 
vax-substp(s)  A 
domain  (a)  c  2'^(stata)  a 
tbaoraa-llst  (1* (atata) /a)  ) 

-» 

valid-atata (atata)  ] 

A 

[  valld-atata (atata) 

-* 

(  atatap (atata)  a 
var-aubatp(aO)  a 
domain (aO)  c  2"^  (atata)  a 
thaoram-liat (1* (atata) /aO)  ) 
whtr* 

aO  a  witnaaaing-inatantiation (atata)  ] 

(AND  (INPLISS  (AND  (SCATSP  SSAIN) 

(VAR-SDBStP  NITNSSSING-INSXANTIATZON) 

(SDBSBTP  (DOMAIN  WIZMSSSZNG-INSCAMTZAIION) 

(CDR  STAIN)) 

(TBNOilNM-l.IST  (SDBST  W  1IXTMNSSZN6-ZNSIANTZATI0N 
(CAR  SXATN)))) 

(VALZO-STATR  STAIR)) 

(ZMPUnS  (MOT  (AMD  (STAIRP  STAIR) 

(VAR-SDBSTP  (WZINSSSIMG-INSIAMTIATION  STATS)) 

(SDBSRTP  (DOMAIN  (NIINESSZNG-IMSTAMTZATION  STATE)) 
(CDR  STATS)) 

(TBEORSM-LIST  (SOBST  F 

(HIINS5SING-IMSTAMTZATIOH  STATE) 
(CAR  STATE))))) 

(MOT  (VALID-STATS  STATS)))) 


The  following  definition  is  auxiliary  to  GEM-CXOSURE.  Informally,  we  can  say  that  given  a  list  free  of 
“free  variables’*  along  with  a  list  goels  of  terms  and  a  list  ▼ess  of  variables  (intuitively,  a  list  of  variables 
that  we’ve  constructed  so  far  in  our  process  of  forming  the  closure),  then 
new-gen-vars  (goals,  free,  ▼ars)  is  a  list  of  those  members  of  free  that  occur  in  a  goal  in  goals 
that  contains  an  occurrence  of  a  variable  in  vars. 

6.  Dermition  cf  MSM-GKM-VARS 

n«w-gan-vara (goals, fraa, vars)  • 

u  (from  o  all-vars(g):  Traa  n  all-vars(g)  o  vars  *  0} 

(dmfn  naiw-gan-vars  (goals  Traa  vars) 

(If  (llstp  goals) 

;;  set  below  for  explanation  oflXt 

(lat  ( (currant -fraa-vars  (intarsactlon  fraa  (all-vars  t  (car  goals) ) ) ) ) 

(If  (disjoint  currant-fraa-vars  vars) 

(naw-gan-vars  (edr  goals)  fraa  vars) 

(appand  currant-fraa-vars 

(na«-gan-vars  (edr  goals)  fraa  vars) ) ) ) 

nil)) 


Notice  the  use  of  LET  above.  We  use  an  extension  to  the  syntax  of  the  Boyer-Moore  logic  in  which  LET  has 
the  same  meaning  as  it  does  in  Common  Lisp  [17];  see  the  third  appendix  of  the  PC-NQTHM  manual  [10]  for 
details.  So  for  example,  CURRENT-FREE-VARS  in  the  definition  above  should  be  viewed  as  an  abbreviation 
for  (INTERSECTXOM  FREE  (ALL-VARS  T  (CAR  GOALS))), 
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i.e.  for  fre«  n  all-vars  (l’^  (goals) } . 


Now  we  can  deHne  the  closure  referred  to  above.  We  may  speak  of 
gen-closusa  (goals, ''s«a,£saa-vass-80-£ar)  as  “the  GEN-CLOSURE  of 
£rea-vass-so-£as  with  respect  to  goals  and  £rea.”  The  recursive  nature  of  the  definition  of 
GEM-CLOSURE  makes  it  a  bit  difficult  to  express  informally;  our  apologies  are  probably  in  wder  for  the  rather 
obscure  informal  definition  below. 

10.  Definition  o/  GEM-CLOSUKB 

gan-oloaura  (gonla,  frM,  frM-vara-ao-fnr)  •  x  rt  fraa,  whert 

X  is  the  Uast  fixed  point  of  ihe  function 

(X  X  .  (fxM-vaxa-ao-far  u  naw-gan-vara(goala,  £raa.x)  ] ) 

(DETH  SBH-CLOSOItB  (GOALS  SRSB  FSSB-VARS-SO-FAR) 

(LSI  (  (MBN-niEB-VARS  (MBW-Gn-VARS  GOALS  FHKK  FRBS-VARS-SO-FAR) ) ) 

(IF  (SOBSBIF  nm-Fm-VARS  FRSB-VARS-SO-FAlt) 

(ZMTSRSBCTZOM  FRSB-VARS-SO-FAR  FRBB) 

(GBM-CLOSUIIS  GOALS  FUSS  (AFPBND  MBH-FSES-VASS  FREK-VASS-SO-FAR)  ) )  ) 

;;  the  following  hint  is  explained  below 

(  (LKSSP  (CAROIHALZTr  (SBT-OZFF  FR2B  FREB-VARS-SO-FAR) )  )  )  ) 


Notice  that  the  definition  above  is  recursive.  The  Boyer-Moore  logic  requires  a  proof  in  such  cases;  one  might 
call  this  a  “termination  proof*.  The  proof  obligation  is  actually  completely  precise  and  need  not  be  understood 
in  the  context  of  (ermination  of  some  execution,  though  that’s  a  reasonable  motivation.  Informally  speaking, 
the  hint  (LESSP  (CARDINALITY  (SET-DIFF  FREE  FREE-VARS-SO-FAR) ) )  at  the  end  of  the 
“DEFN”  event  above  instructs  the  system  to  prove  that  the  cardinality  of  (£ree  \  £ree-vars-so-£ar) 
decreases  on  each  recursive  call  of  the  function  GEN-CLOSURB.  Formally,  the  proof  obligation  in  this  case  is 
as  follows. 

-1  (  n«w-£r««-vars  c  ) 

— * 

IfrM  \  (naw-fraa-vars  vj  fraa-vara-so-far)  I  <  |  fraa  \  fraa-vara-ao-far  | 

where  naw-£raa-vara  <•  naw-gan-vaxa  (goala,  fraa,  fraa-vara-ao-far) 

(LET  (  (NEH-FREE-VARS  (MEW-GEN-VARS  GOALS  FREE  FREE-VARS-SO-FAR) )  ) 

(IMPLIES  (NOT  (SOBSBTP  NEH-FREE-VARS  FREB-VARS-SO-FAR)) 

(U8SP  (CARDINALITY  (SET-DIFF  FREE 

(APPEND  NEH-FREE-VARS  FREB-VARS-SO-FAR) )  ) 
(CARDINALITY  (SET-DIFF  FREE  FREE-VARS-SO-FAR)  )  )  )  ) 


Inspection  of  the  file  "generalize.events"  shows  that  a  couple  of  lemmas  were  provei  to  help  with  the 
termination  proof.  In  particular,  the  following  lemma  is  easily  proved  by  the  system  using  induction.  (A 
moment’s  reflection  will  suggest  its  utility  in  the  proof  of  the  termination  goal  displayed  just  above.) 

8.  Lemma.  NEH-GEN-VARS-SUBSET 

naw-gan-vara (goala, fraa, vara)  c  fraa 

(SUBSBTP  (NEH-GEN-VARS  GOALS  FREE  VARS) 

'  FREE) ) 
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Now  let  us  formalize  the  hypothesis  under  which  the  GENERALIZE  command  (to  be  defined  shortly)  is 

allowed  to  be  executed.  The  Generalize  command  is  intended  to  apply  the  inverse  of  some  variable 

substittuion  sg  to  the  top  goal  in  the  current  proof  state.  Thus  in  the  examples  presented  earlier  in  this  section, 

the  generalization  obtained  by  replacing  z+1  by  a  is  represented  by  the  variable  substitution  {<a,  z+l>}. 

As  for  the  other  parameters  below:  stata  is  a  {voof  state,  the  domain  of  sg  is  disjoint  from  the  variables 

occurring  in  the  goals  of  the  state,  there  is  at  least  one  goal  in  the  state,  and  the  domain  of  sg  is  disjoint 

from  the  free  variables  of  the  state.  We  take  lib^es  in  the  informal  version  below  by  writing  state  as 

<goals , £ree>. 

11 .  Definiuon  of  GENElUtLZZB-OKF 


9ao«rallza-olcp(ag, <goala, £rM>)  ■ 
[var-aubatp ( ag)  a 
atatap(<goala,  ezM>)  a 
domain (ag)  n  all-vara (goala)  ■  0  a 
goala  a  0  a 
domain  (ag)  n  fraa  •  0] 

(DBFN  GBMEtUtLZZB-OKP  (SG  STATB) 

(AND  (VAR-SOBSTP  SG) 

(STATBF  STATB) 

(DISJOINT  (DOMAIN  SG) 

(ALL-VARS  F  (CAR  STATE))) 
(LIST?  (CAR  STATB)) 

(DISJOINT  (DOMAIN  SG)  (CDR  STATB)))) 


We  define  the  function  GENERALIZE  to  take  a  substitution  sg  and  a  proof  state  state  and  return  a  new  proof 
state.^  The  goals  of  the  new  proof  state  are  the  same  as  the  goals  of  state  except  that  the  fust  (i.e.  lop, 
current)  goal  has  been  modified  by  substituting  the  inverse  of  the  variable  substitution  sg  into  the  first  goal  of 
state,  and  the  list  of  free  variables  has  been  (possibly)  reduced. 

12.  Definiuon  of  GENBtUtLIZB 

ganarallz* (ag,  <(g}  p,  fEa«>)  » 

<naw-g, 

fraa  \  (gan-cloaura((naw-g)  u  p.  fraa,  all-vara (naw-g) )  o  all-vara (ranga (ag) )) > 
where  naw-g  «  g/ag"* 

(DBFN  GENERALIZB  (SG  STATB) 

(LET  ((G  (CAAR  STATB))  ,  ;  the  current  goal 

(P  (CDAR  STATE))  ;;  the  rest  of  the  goals 

(FREE  (CDR  STATE) ) )  „  the  free  variables 
(LET  ((NEW-G  (SOBST  T  (INVERT  SG)  G) ) )  the  new  current  goal 
(LET  ((DOMAIN-1  ;;  potentially  "bad"  free  variables 
(GEN-CLOSURE  (CONS  NEW-G  P) 

FREE 

(ALL-VARS  T  NEW-G) ) ) ) 

(LET  ((NEW-FREE  ;;  the  new  free  variables 
(SET-DIFF  FREE 

(INTERSECTION  DOHAIN-1  (ALL-VARS  F  (RANGE  SG)  )  )  )  )  ) 

(CONS  (CONS  NEW-G  P) 

NEW-FREE)  )  )  )  )  ) 


^Thc  set  DOMAIN-1  in  t)ie  definition  below  is  what  is  called  C  in  4.1  above;  the  name  suggests  (and  is  closely  related  to)  the  domain  of  a 
substitution  SI  that  appean  later,  during  the  proof. 
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43  Some  abbreviations 


Before  we  state  the  main  theorem,  let  us  introduce  some  abbreviations  for  terms  that  occur  repeatedly 
throughout  the  rest  of  this  exposition.  As  usual,  we’ll  use  both  informal  notation  and  formal  notation  to 
introduce  these  abbreviations.  Abbreviations  will  appear  in  italics  font 

s  •  ifltnaaslng-instantlation  (ganaxalis*  (ag,  atata) ) 

5  -  (NITMBSSIMG-XIISXAMTIATIOM  (SBHERALXZa  SS  SUIB) ) 

goats  a  1* (atata) 

GOALS  m  (OUl  ST&TB) 

g  »  1*  {goats) 

G  m  (CAR  GOALS) 

p  -  ^  {goats) 

P  •  (CDR  GOALS) 

fret  a  2°^ (atata) 

FREE  m  (CDR  SZATB) 

Mw-g  •  g  /  ag'^ 

SEW-G  -  (SOBRT  T  (imntRT  SG)  G) 

domabt-l  >  gan-aloauxa(<ii<w-j,p>,  2*^  (atata),  all-vara  (mw-;)  ) 

DOMAIN-I  »  (CRN-CLOSORB  (CONS  NEW-G  P) 

FREE 

(ALL-VARS  T  NEW-G)) 

si  ^  s  \  domain-I 

51  -  (RESTRICT  S  DOMAIN -1) 

s2  ^  {s  |~  domain-I)  //  nulllfy-aubat  (ag) 

52  -  (APSLY-TO-SDBST  (HOLLIPT-SOBST  SC)  (C0-R2STRICT  S  DOMAIN-I) ) 
gm-inst  ■  {si  u  *2)  //  {sg  //  s2) 

GEN-INST  a  (APPLT-TO-SUBST  (APPLT-TO-SDBST  52  SC)  (APPEND  SI  S2) ) 


Let  US  use  the  abbreviations  introduced  above  to  restate  the  defuiition  of  GENERALIZE. 
12 .  Dermiuon  of  GENERALIZE 

ganarallza (ag,  <{g)  u  p,  ^jc>)  a 
<new-g, 

free  \  {domain-I  n  all  -  vara  (ranga(ag) )  )> 

(DEED  GENERALIZE  (SG  STATE) 

(CONS  (CONS  NEW-G  P) 

(SET-DIFP  FREE 

(INTERSECTION  DOMAIN  !  (ALL-VARS  F  (RANGE  SG)  )  )  ) )  ) 


4.4  Statement  of  main  theorem 

Finally  we  can  state  the  main  theorem.  It  says  that  if  the  preconditions  of  the  GENERALIZE  command 
are  met  and  if  the  result  of  applying  this  command  is  a  valid  proof  slate,  then  the  original  proof  state  is  valid. 
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62.  Hieafaii.  eBMBR&LZZX-IS-CORKECT 

gaxMrmllsa-okp  (sg,  stata)  a  v«Xld-stata(ganaralisa(ag,  atata) } 
->  valid-atata  (atata) 

(ZMPLZZS  (AMD  (GBMBRALZZB-OICP  SG  STATE) 

(VALID-STATE  (GENERALIZE  SC  STATE))) 
(VALID-STATE  STATE)) 


5.  Proof  of  the  Main  Theorem 

In  this  final  section  we  outline  the  mechanically-checked  proof  of  the  main  theorem 
GENERALIZE-IS-CORRECT  displayed  above.  We  actually  break  this  proof  into  three  parts.  First  we  show 
how  to  reduce  the  main  theorem  to  two  lemmas.  Then  we  devote  the  remaining  two  subsections  to  the 
respective  proofs  of  those  two  lemmas. 


5.1  Reducing  the  theorem  to  two  lemmas 

First  of  all,  notice  that  by  definidon  of  VALID-STATE  it  suffices  to  find  some  subsdtudon,  call  it 
gen-inst  (ag,  state) ,  for  which  we  can  prove  the  following  fact. 

61.  Lemma.  MAIN-THBORBM-1 

ganaralisa-okp(ag, <goala, £raa>)  a  valid-atata (ganaraliza (ag, <goala, £raa>) ) 

atatap(<goala, £raa>)  a 
var-aubatp(«lt)  a 
doaiain(wlt)  c  fraa  a 
thaoraa-llat (geala/«it) 
where 

wit  a  gan-inat (ag, atata) 

(LET  ((NIT  (GEM- INST  SG  STATE))) 

(IMPLIES  (AND  (GEMERALIZE-OKP  SG  STATS) 

(VALID-STATE  (GENERALIZE  SC  STATE))) 

(AMD  (STATEP  STATE) 

(VAR-SUBSTP  WIT) 

(SUBSET?  (DOMAIN  WIT)  (CDR  STATE)) 

(THEOREM-LIST  (SUBST  F  WIT  (CAR  STATE) )  ) )  )  ) 


Such  a  variable  substitudon  wit  —  gen-inst  (sg,  state)  can  be  constructed  as  follows  (see  also 
Subsecdon  4.1  for  modvadon).  Let  s  be  a  variable  subsdtudon  that  witnesses  the  validity  of  the  state 
generalize  (ag,  state) .  Let  domain-l  be  the  GEN-CLOSURE  of  the  variables  occurring  in  the  new 
cunent  goal  (which  is  the  result  of  applying  the  inverse  of  the  generalizing  subsdtution  to  the  current  goal),  with 
respect  to  the  new  goals  and  the  exisdng  list  of  free  variables.  Then  the  desired  subsUtuiion 
gen-inst  (sg,  state)  may  be  defined  as  follows. 
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14.  Definition  of  CSI-ZIIST 

(Recall  that  teims  in  italics  are  abbbieviationf .  See  Subsection  4.3  for  an  explanation  of  the  abbieviationa.) 

gnn-lnat (ag,  atata)  ■ 

{si  u  s2)  //  (ag  //  s2} 

(OMTH  SBN-IHST  (S6  STATE) 

(WPLT-TO-SOBST  (WPLT-TO-SOBST  £2  SC) 

(APPEND  SJ  S2))) 

The  first  three  (xinjuncts  of  the  conclusion  of  MAIN-THEOREM-1  are  now  quite  trivial;  they  correspond 
to  events  #1S,  #17,  and  #19  in  the  numbered  list  of  events  from  "generalize.events"  in  the  Appendix  (and  are 
named  MAIN-THEOREM- 1 -CASE- 1.  MAIN-THEOREM-l-CASE-2.  and  MAIN-THEOREM- 1 -CASE-3). 
The  flrst  of  these.  stAtap(stat«) ,  is  clear  by  definition  of  GEMBRALIZZ-okp.  The  second, 
▼ar-substp  (gan-lnat  (ag,  atata) ) .  is  clear  from  the  way  that  gan-lnat  (ag,  atata)  is  built  from 
variable  substitutions.  The  third,  domain  (wit)  c  2*^  (atata) ,  is  also  straightforward,  though  Oike  many 
simple  results  proved  with  the  Boyer-Moore  prover)  it  uses  basic  “library”  facts  such  as  the  lemma  DOMAIN- 
APPLY-TO-SUBST  (see  Section  3  above).  A  key  observation  for  that  case,  which  is  specific  to  our  notion  of 
generalization,  is  the  fact  that  the  set  of  free  variables  of  the  state  obtained  by  applying  the  (3BNZRALZZE 
command  is  a  subset  of  the  set  of  free  variables  of  the  original  state: 

18.  Unmu.  80BSETP-COE-CEHERALXZS 

2'*'  (gvMrAlis*  (ag,  atata) )  c  2*^  (atata) 

(SOBSETP  (CDR  (GENERALIZE  SC  STATE)) 

(CSR  STATE)) 

It  remains  then  only  to  check  the  last  of  the  four  cases  from  the  conclusion  of  MAIN-THEOREM- 1,  i.e.  to 
prove  the  following  (stated  using  abbreviations,  in  italics,  from  Subsection  4.3). 

60.  Lemma.  NAIN-THBOREN-l -CASE-4 

ganaraliza-okp (ag, atata)  a  valld-atata (ganarallza (ag, atata) ) 

— » 

tbaoraai-llat  {goals  /  gen-insl) 

(IMPLIES  (AMD  (GENERALIZE -OKP  SG  STATE) 

(VALID-STATE  (GENERALIZE  SO  STATE))) 

(THEOREM-LIST  (SUBST  F  CEN  INST  GOALS) ) ) 

The  idea  now  is  to  introduce  a  new  predicate  MAIN-HYPS  that  that  abstracts  the  hypotheses  that  are 
needed,  and  then  split  the  proof  into  two  parts.  First,  we  show  that  MAIN-HYPS  implies  the  result  for  arbitrary 
substitutions  and  goals.  Second,  we  show  that  MAIN-HYPS  holds  of  the  particular  substitutions  and  goals  in 
question.  Thus  the  first  part,  MAIN-HYPS-SUFFICE  below,  states  that  the  bizarre-looking  substitution  ( (si 
u  s2)  //  (sg  //  s2) )  (which  however  is  closely  related  to  the  definition  of  GEN-INST)  serves  to 
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create  a  list  of  theorems,  assuming  that  MhIH-HYPS  holds  of  the  relevant  substitutions  and  goals.  The  other 
part,  MAIN-HYPS-RELIEVED,  shows  that  MMN-HYPS  holds  of  the  necessary  substitutions  and  goals. 


Notice  that  we  do  not  use  abbreviations  in  the  first  of  the  following  lemmas;  as  suggested  above,  it  holds 
of  arbitrary  substitutions  and  goals.  However,  it  is  applied  (by  the  theorem  prover’s  rewriter)  under  the 
particular  instantiation  (SI  :=  SI,  S2  :=  52,  GOALS  :=  GOALS). 

27.  Lemma.  lOZN-BTPS-SOFriCI 
aaln-hypa (al, s2, ag, g, p) 

-»  thaoram-llat((g)  up/  ((al  u  a2)  //  (ag  //  a2) ) ) 

(IMPLIBS  (AMD  (LZSTP  GOALS) 

(MAIM-HYPS  SI  S2  SG  (CAR  GOALS)  (CDR  GOALS))) 

(TBEOSSM-LXST  (SOBST  t 

(ASPLT-CO-SOBSC  (APPLT-IO-SOBST  S2  SC) 

(APPSMD  SI  S2)) 

GOALS))) 


59.  Lemma.  NAIM-BTPS-RRLIMVm 

ganara0.1sa-okp(ag,  stata)  a  valld-atata(ganaraliza  (ag,  atata) ) 
-» 

aaln-hypa  (si  ,s2,»g,g,  p) 

(IMPLZSS  (AMD  (GBMERALIZB-OKP  SG  STATE) 

(VALID-STATE  (GENERALIZE  SG  STATE))) 

(MAZM-BTPS  SI  S2  SUS  G  P)) 


The  proof  now  naturally  splits  into  two  parts,  one  for  each  of  the  two  lemmas  displayed  immediately 
above.  We  close  this  subsection  with  the  remaining  defmitions  before  turning  to  the  proofs  of  these  two 
remaining  lemmas  in  the  respective  subsections  below.  First,  here  is  the  definition  of  main-hyps. 

21 .  OefinUion  of  KAIM-BTPS 

BUiln-hypa(al,  b2,  ag,g,p)  a 
[  taza^tg)  a 

all-vars(g)  n  domain  (ag)  »  0  a 
taRBp-llat  (p)  A 

all-vazB(p)  n  domain  (ag)  •  0  a 
gan-aatting-Bubatitutiona (al. a2, ag)  a 
thaoram-list(((g/ag*^}  up)  /  (al  u  a2))  ] 

(DEFM  MAIM-HYPS  (SI  S2  SG  G  P) 

(AMD  (TERMP  T  G) 

(DISJOINT  (ALL-VARS  T  G)  (DOMAIN  SG) ) 

(TERMP  F  P) 

(DISJOINT  (ALL-VARS  F  P)  (DOMAIN  SG) ) 

(GBM-SETTIMG-SUBSTITDTIONS  SI  S2  SG) 

(THEOREM-LIST  (SDBST  F  (APPEND  SI  S2) 

(CONS  (SOBST  T  (INVERT  SG)  G)  P) ) ) ) ) 


The  auxiliary  function  GEN-SETTING-SUBSTITUTIONS  is  defined  as  follows. 
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20.  Oefinaion  o/ CBM-SBTTZHG-SOBSTZTUTZOHS 

g*n-Mtting-aub«tltutiona (al, a2, ag)  ■ 

[  var-aubatp(al)  a 
vaz-aubatp(a2)  a 
var-aubatp ( ag)  a 
doaiain(al)  n  doaiala(ag)  «  0  a 
doaiain(a2)  n  doaiala(ag)  ■0a 
all-vara (rang* (ag) }  n  dnauan(al)  -  0  a 
all-vara(rang*(a2))  n  doaud.n(ag)  ■  0  ] 

(DSTN  6EN-SSnZN6-SDBSTZTnTZ0M8  (SI  S2  SC) 

(AMD  (VAR-SOBSTP  SI) 

(VAR-SOBSTP  S2) 

(VAR-SOBSTP  SC) 

(DZSJOZMT  (DOMAZM  SI)  (DOMAZM  SC)) 

(DZSJOZMT  (DOMAZM  S2)  (OOMAZM  SC)) 

(DZSJOZMT  (ALL-VARS  T  (RAMCS  SC)) 

(DOMAZM  SI)) 

(DZS JOINT  (ALL-VARS  T  (RAMCS  S2) )  (DOMAZM  SC)))) 


5  J  Proof  of  the  lemma  MAIN-HYPS-SUFnCE 
Let  us  stale  the  lemma  once  again. 

27.  Lemma.  MAZM-HYPS-SnFFZCS 
main-hypa ( al , a2 , ag, g, p) 

-♦  ehaor*a-llat((g)  up/  ((aZ  u  a2)  //  (ag  //  a2))) 

(ZMPLZSS  (AMD  (LZSTP  COALS) 

(MAZN-HZPS  SI  S2  SC  (CAR  COALS)  (CDR  COALS) ) ) 
(THSORSM-LZST  (SUBST  7 

(APTLT-TO-SUBST  (ATTLT-TO-SOBST  S2  SC) 
(ATTEND  SI  S2)) 

COALS))) 


If  we  apply  the  definitions  of  SUBST  and  THEOREM- LIST  in  the  expression  above,  then  we  see  that  it  suffices 
to  prove  the  following  two  properties.  (Think  of  g  as  the  current  goal  and  of  p  as  the  rest  of  the  goals.) 

24.  Lemma.  NAZM-HXTS-SUTFZCS-riRST 

Bialn-bypa  (al,  a2,  ag,  g,  p)  -»  tbaoraa(g  /  (  (al  u  a2)  //  (ag  //  b2)  )) 


(IMTLZSS  (MAIN-HITS  SI  S2  SC  G  T) 

(THEOREM  (SUBST  T 

(ATTLY-TO-SUBST  (ATTLY-TO-SUBST  S2  SC) 
(ATTEND  51  S2) ) 


6))) 


2S.  Lemma.  MAZN-HYTS-SUFFZCE-REST 


maln-bypa(al,B2,  ag, g,p)  -*  tbaoraa-Iiat  (p  /  (  (al  u  a2)  //  (ag  //  a2)  )) 


(IMTLZSS  (MAZN-HYTS  SI  S2  SC  C  T) 
(THEOREM-LIST  (SUBST  7 

(ATTLY-TO-SUBST 


T))) 


(ATTLY-TO-SUBST  S2  SC) 
(ATTEND  SI  S2) > 


Let  us  consider  these  two  cases  separately. 
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5  J.1  Proof  of  the  lemma  MAIN-HYPS-SUFFICE-nRST 


Consider  the  first  of  these  two  lemmas,  MAIN-HYPS-SUFFICE-FIRST.  Let  us  begin  by  arguing 
informally  for  its  ctMiectness.  The  last  conjunct  of  MaiM-HYPS  implies,  assuming  the  hypothesis  of  the 
lemma,  that  (g/sg~^)  /  (si  u  82)  is  a  theorem.  Now  evay  instance  of  a  theorem  by  a  variable 
substitution  is  a  theorem  (by  the  CONSTRAIN  event  THEOREM-INTRO,  event  #1  in  "generalize.events"). 
Then  MAIN-HYPS-SUFFKTE-FIRST  above  follows  if  we  can  show  that  the  proposed  theorem  is  an  instance  of 
(g/ag"^)/(8l  u  s2).  The  following  lemma  therefore  implies  MAIN-HYPS-SUFFICTE-FIRST. 

23.  Lemma.  lOZV-BYPS-SOrFZCB-FZRST-UDDa. 


taroptg)  a  all-vara(g)  a  doamln(sg)  a  0  a  g*n-a*ttlng-aubatltutlon> (si, a2, sg) 
-♦ 

g  /  (  (#1  u  s2)  //  (ag  //  a2)  )  -  ( (g  /  sg-»)  /  (si  s2) )  /  (sg  //  s2) 


(mPLIZS  (AMD  (TBtMP  T  Q) 

(OZaJOZMT  (ALL-VAM  T  O)  (OOMAIH  S6) ) 
(QSM-nTTZMS-aOBSnTOnOM  SI  82  SC)) 

(lOtOL  (8UBST  T 

(APPLT-IO-SOBST  (APPLY-TO-SUBST  S2  SG) 
(APPBMD  SI  S2)) 


G) 

(SUBST  T  (APPLY-TO-SOBST  S2  SG) 

(SOBST  T  (APPEND  Si  S2) 

(SUBST  T  (INVERT  SC)  G) ) ) ) ) 


Let  US  see  why  this  lemma  holds,  and  in  doing  so,  discover  some  of  the  motivation  for  the  properties  embodied 
in  MAIM-mrPS.  Assume  the  following  hypotheses,  the  last  of  which  is  the  inductive  hypothesis.  Note:  we’ll 
see  during  the  proof  what  we  need  here  about  GEH-SETTZNG-SUBSTITUTXONS. 
tsxng)  <g) 

sll-vars(g}  n  doaialn(sg}  =  0 

gen-settlng-substltutlons (si, s2,  sg) 

(IH)  g'  /  (  (si  u  s2)  //  (sg  //  s2)  ) 

=  ((g'  /  sg"^)  /  (si  u  32))  /  (sg  //  s2) 
for  all  subterms  g'  of  g 


The  proof  now  breaks  into  three  cases.  We  omit  a  few  details  but  give  many  others,  just  to  show  the  kind  of 
considerations  required  in  the  mechanically-checked  proof. 


Cose  1:  g  €  range  (sg) ,  say  g  =  sg  (v) .  Then  we  have,  working  with  the  right  side  of  the  goal 


equation: 
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((g  /  sg’^)  /  (si  u  82))  /  (sg  //  82) 

»  {definition  of  v} 

(V  /  (si  u  82))  /  (sg  //  82) 

■  SUBST-NOT-OCCUR,  i,  ▼  ts  domain  (si  u  82) 

definition  O/GEN-SETTING-STTBSTITUTZONS ) 

V  /  (sg  //  s2) 

«  (since  ▼  6  domain  (sg)^ 

(sg  //  s2)  (V) 

■  (definitions  of  ▼  and  //J 
g  /  82 


On  the  otho-  hand,  reducing  the  left  side  of  the  goal  equation  we  have 

g  /  (  (si  u  82)  //  (sg  //  82)  ) 

»  (by  SUBST-APPEND-NOT-(Xr(njR-2  (cf.  Section  3),  since  by  the 
GEN-SETTING- SUBSTITOTZONS  hypothesis  we  have 
all-vars  (ranga  (sg) )  n  domain  (si)  «  0} 
g  /  (  82  //  (sg  //  82)  ) 

-  (by  the  lemma  APPLY-TO-SUBST-IS-NO-OP-FOR-DISJOINT-DOMAIN  (cf  Section  3).  since 
domain  (sg)  n  ranga(s2)  «  0} 
g  /  82 


Case!:  g  e  range  (sg)  and  varlablep  (g) . 

((g  /  sg*^)  /  (si  u  82))  /  (sg  //  82) 

■  fsince  g  e  range  (sg)^ 

(g  /  (si  u  82))  /  (sg  //  s2) 

■  (by  the  composition  rule  COMPOSE-PROPERTY,  c/.  Subsection  2.3} 
g  /  (  (  (si  u  82)  //  (sg  //  82)  )  u  (sg  //  s2)  ) 

«  /iy  teffww  SUBST-APPEND-NOT-OCCm-2  f(/.  Section  3)} 
g  /  (  (si  u  82)  //  (sg  //  82)  ) 


Cose  3:  otherwise.  Then  we  may  write  g  as  <£  Vj  ...  ▼„>,  and  we  have: 

((g  /  sg'^)  /  (si  u  82))  /  (sg  //  32) 

*  (definition  of  SUBST,  since  by  the  case  hypothesis,  g  is  not  in  domain  (sg"^) } 
<i  Vj/(sl  u  s2) 

v„/(8l  u  82)>  /  (sg  //  82) 

a>  (definition  of  SUBST  again,  j/nce  sg  is  a  variable  substitution} 

<t  (Vj^/(sl  u  s2))  /  (sg  //  s2) 

(▼„/(8l  u  82))  /  (sg  //  82) > 

■  (by  the  inductive  hypothesis} 

<£  ▼j/(  (si  u  82)  //  (sg  //  82)  ) 

v„/(  (si  u  82)  //  (sg  //  82)  )> 

*  (definition  of  SUBST^ 

g  /  (  (si  u  82)  //  (sg  //  s2)  ) 


Actually,  a  formalization  of  this  proof  in  the  Boyer-Moorc  logic  tends  to  require  one  to  prove  the  similar 
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theorem  about  lists  of  terms  by  a  simultaneous  induction.  The  theorem  prover  essentially  carries  out  the  above 
argument  in  proving  event  #22  in  "generalizc.events".  MAIN-HYPS-SUFFTCE-FIRST-LEMMA-GENERAL, 
which  is  a  generalization  we  provide  of  MAIN-HYPS-SUFFICE-FIRST-LEMMA  to  both  terms  and  term  lists. 
(That  is,  we  leave  fig  uninstantiated.)  The  cases  in  the  inductive  argument  correspond  to  the  definition  of 
SUBST,  so  we  supply  the  hint  (INDUCT  (SUBST  FLG  S6-1  6)}  for  this  lemma.  Notice  that  we  also  give 
sg~^  a  name,  sg-1,  for  the  technical  reason  that  such  induction  hints  in  the  Boyer-Mc^>.  provo'  must  have 
variables  in  the  argument  positions. 

22.  Lenuiu.  MtZH-BTPS-StirrZCS-rZItST-IJDOa-SSMBRAL 


t  (tarqptg)  v  tara-llat  (g) )  a 
all-vars(g)  n  doaiain(ag)  ■  0  a 
gan-Mttlng-aubatltutlona  (al,  >2,  ag)  a 
A  ag-1  ■  ag'^  ] 

-* 

g  /  (  (al  vj  a2)  //  (ag  //  a2)  )  -  (<g  /  ag-1)  /  (al  u  a2) )  /  (ag  //  a2) 


(ZNPLZBS  (JUID  (CnMP  FL6  O) 

(OZSJOZin  (ALL-VIRS  TUB  S)  <0010111  S6) ) 
(am-SETTZMG-SnBSTITOTIOHS  SI  S2  SC) 

(KQUAL  S6-1  (INVERT  SC))) 

(BQtOL  (StIBST  FLC 

<aPPLT-TO-SOBST  (RPELY-IO-SOBST  S2  SC) 
(APPEND  SI  S2)) 


fi) 

(SUBST  PLC  (APPLY-TO-SOBST  S2  SC) 
(SUBST  FI.S  (APPEND  SI  S2) 

(SUBST  FLC  SC-1  C) ) ) ) ) 


Finally,  let  us  note  that  a  number  of  trivial  considerations  that  were  ignored  here  must  be  dealt  with  in  the 
mechanical  proof.  Consider  again,  for  example,  the  second  step  in  the  proof  of  the  first  case  above: 

(▼  /  (si  u  82))  /  (sg  //  82) 

■  fhy L<ffwicSUBST-NOT-OCCUR, Section J, since  ▼  e  doinaln(sl  u  82) 
by  definition  o/GEN-SETTZNG- SUBSTITUTIONS ) 

▼  /  (sg  //  82) 

Why  do  we  know  that  ▼  e  domain  (si  kj  82)?  The  reason  above  is  “by  definition  of 
GEN-SETTING-SUBSTITUTIONS’’.  If  we  think  carefully  here  then  we  realize  that  this  use  of  the  definition 
of  GEN-SETTING-SUBSTITUTIONS  guarantees  that  the  domain  of  sg  is  disjoint  from  the  domains  of  si 
and  82;  so  at  the  very  least  we  need  to  know  that  ▼,  i.e.  sg'^  (g) ,  is  a  member  of  the  domain  of  sg.  A  lemma 
to  this  effect,  VALUE-INVERT-NOT-MEMBER-OF-DOMAIN,  has  been  included  in  Section  3.  Another 
example  where  we  glossed  over  small  details  is  in  the  following  step  from  Case  1: 

(sg  //  82)  (v) 

■  {definitions  of  v  and  11} 

g  /  82 

In  fact  we  proved  a  lemma  to  accomplish  this  bit  of  reasoning;  see  VALUE- APPLY-TO-SUBST  in  Section  3 
(with  the  confusing  instantiation  g  :=  v,  sg 82,  a  sg). 
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S2.2  Proof  of  the  lemma  MAIN-HYPS-SUFFICE-REST 


Recall  that  the  other  half  of  proving  MAIN-HYPS-SUFFICE  is: 
26.  Ixmma.  lOZM-Bns-SnrFZCB-ItBST 


goals  ^  0  A  asln-hyps(sl,  a2,  sg,g,p) 

-»  thsoraa-llst  (p  /  (al  u  s2)  //  (ag  //  s2) ) 


(ZHPLIXS  (lOIM-HXFS  SI  S2  SG  G  P) 

(TBBORBM-LZST  (SOBST  P 

(APPLT-IO-SUBST  (APPLY-TO-SUBST  S2  SG) 
(APPEND  SI  S2)) 


P))) 


Again  we  may  use  the  property  that  an  instance  of  theorem  (or  theorem  list)  is  a  theorem  (or  theorem  list, 
respectively).  Therefore  the  property  above  follows  from  the  following  lemma,  with  FLG  set  to  F  and  s  set  to 
(APPEND  SI  S2)  (informally,  si  u  82),  together  with  the  definition  of  MAIN-HYPS. 

2S.  Lenmu.  MAZH-BTPS-SDFrZCB-RBST-LailMA 


tonap(p)  A  variabla-llatp(doaaln(ag) )  a  all-vars(p)  n  doiBaln(sg)  •  0 
-» 

p  /  (a  //  (sg  //  s2))  >  (p  /  a)  /  (ag  //  s2) 


(ZMPLZSS  (AND  (TERMP  FLG  P) 

(VARZABLB-LZSTP  (DCNCAIN  SG) ) 

(DISJOINT  (ALL-VARS  FLG  P)  (DOMAIN  SC))) 

(EQUAL  (SUBST  FLG 

(APPLT-TO-SUBST  (APPLY-TO-SUBST  S2  SG) 
S) 


P) 

(SUBST  FLG 

(APPLT-TO-SUBST  S2  SC) 
(SUBST  FLG  S  P)))) 


This  is  actually  quite  a  straightforward  result,  using  the  rewrite  rule  COMPOSE-PROPERTY  displayed  in 
Subsection  2.3  above.  Here  is  an  informal  sketch  of  the  proof  (but  note  that  the  theorem  prover  proves  this 
automatically  from  the  previously  proved  niles). 

(P  /  8)  /  (ag  //  82) 

«  {by  compose-property; 

p  /  (s  •  (sg  //  s2)) 

»  (by  definition  of  COMPOSE^ 

p  /  (8  //  (sg  //  82))  u  (<x,y>  e  (sg  //  82):  x  e  domain(s)). 

»  (by  SUBST-APPEND-NOT-C)CCUR-2  (cf.  Section  3),  since  by 

hypothesis  no  variable  occurring  in  p  is  in  domain  ( sg  / /  s2 ) ,  i.e.  in  domain  ( sg) 

(see  DOMAIN-APPLY-TO-SUBST  in  Section  3)} 
p  /  (8  //  (sg  //  s2) ) 

5  J  Proof  of  the  lemma  MAIN-HYPS-RELIEVED 

The  only  thing  left  to  prove  is  the  lemma  MAIN-HYPS-RELIEVED.  Let  us  repeat  the  statement  of  that 
lemma,  but  opening  up  the  definition  of  MAIN-HYPS.  We  will  continue  to  use  the  abbreviations  introduced  in 
Subsection  4.3  above. 
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59.  Lemiiu.  mXH-BYPS-RZLIBVBO  (wUhtOlV-WnS  opened  up) 
g«n*raliz«-okp(ag, atata)  a  valld-atata (ganaraliza (sg, stata) ) 


taziqp(g)  A 

all-vaza(j)  o  dozwln(ag)  »  0  a 
tazz^-list  (p)  A 

all-varB(p)  o  doaialn<ag)  ■  0  a 
gan-satting-aubatltutions  {sJ ,  s2 ,  ag)  a 
thaozaa-llat  ( kj  p)  /  {si  u  s2)) 

(IHPLISS  (AMD  (GENB1UU.ZZX-0XP  SC  STATS) 

(VALZD-STATB  (OSMBKALIZS  SG  STATS))) 
(AMD  (TSSMP  T  G) 

(DZSJOIMT  (ALL-VAKS  T  G)  (DCSIAIH  SC)) 
(TSSMP  r  P) 

(DISJOZMT  (ALL-VARS  P  P)  (DOMAZM  SG) ) 
(GBM-SBTTZMG-SOBSTZTnTZOMS  SI  S2  SG) 
(THBORBN-LZST  (SOBST  P  (APPEND  SI  S2) 

(COMS  NEW-G  P))))) 


We  thus  have  six  cases  to  deal  with.  However,  the  first  four  are  quite  easy;  the  lemmas 
MAIN-HYPS-RELIEVED-n  for  n  =  1,  2,  3,  and  4  are  events  #30  through  #33  in  the  file  "generalize.events" 
(cf.  Appendix  A).  It  remains  only  to  prove  the  other  two  cases,  MAIN-HYPS-RELIEVED-5  and  MAIN- 
HYPS-RELIEVED-6. 

5J,1  Proof  of  the  lemma  MAIN-HYPS-RELIEVED-S 

Let  us  first  state  the  lemma  MAIN-HYPS-RELIEVED-5. 

41.  Lemmi.  MAIH-BTPS-RBLZSVBD-S 

ganarallza-o)cp(sg,  atata)  a  ralld-atatatganarallzatag,  atata) ) 

-»  gan-aattlng-aubatttutlona  (li,  ag) 

(IMPLIES  (AMD  (GSMERALIZB-OKP  SG  STATS) 

(VALID-STATS  (GBMERALIZB  SG  STATS))) 

(GEM-SBTTIMG-SUBSTITOTIONS  5/  52  SG) ) 


Opening  up  the  function  GEN-SETTING-SUBSTITUTIONS  gives  us  a  number  of  subgoals.  The  lemmas 
which  follow  cover  all  of  these  subgoals.  Many  of  them  are  more  general  than  the  corresponding  cases  of  the 
lemma  MAIN-HYPS-RELIEVED-5.  For  example,  in  the  first  lemma  below  notice  that  domain-1  is  arbitrary 
in  place  of  the  substitution  denoted  by  the  abbreviation  domain-1.  Generality  often  makes  the  theorem  prover’s 
job  easier. 
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34.  Lemma.  M&IN-BYPS-REUZVBD-S-ISIOa-l 

valld-stata (ganaralixa (ag, stata) ) 

-*  var-BUbatp(sl)  a  var'-axibap(a2) 
whtrt 

al  a  a  I  doamln-1 

a2  ■  (a  I-  doaaln-1)  //  nulllfy-aubat (ag) 

(UCT  ((SI  (RESTRICT  5  DOM&IM-l) ) 

(S2  (AEPLT-TO-SOBST  (NCLLITY-SnBST  SS) 

(CO-RESTRICT  5  DOMEIN-l) ) ) ) 
(ZMPUES  (VEL2D-STJLTE  (SEHERELZZE  SC  STATE)) 

(RED  (VAR-SnSSTP  SI) 

(VER-SOBSTP  S2)))) 


35.  Lemma  iaiN-BYFS-RELIEVBO-S-UIOa-2 

g«naralisa-okp(ag, atata)  -*  vax-aubatp(ag) 

(ZMPLZES  (aEMERALXZE-OXP  SC  STATE) 
(VAR-SUBSTP  SG)) 


For  the  next  two  cases  Erom  the  definition  of  GEM-SETTIMG-SUBSTITUTZOMS.  we  first  observe  that  the 
domain  of  the  witnessing  substitution  s  is  disjoint  from  the  domain  of  sg.  This  is  an  easy  consequence  of  the 
definitions,  which  imply  that  domain  (s)  c  2"^ (generalize  (sg,  state) )  £  /ree  and  that /ree  is 
disjoint  from  the  domain  of  ag. 

3S.  Lemma  WITMESSZMG-INSTAHTIATZON-ZS-OISJOIMT-FRON-SEtlERALIZIHa-SUBSTITnTION 

ganarallsa-okp(ag,  atata)  a  valld->atata(ganaraZlaa  (ag,  atata) ) 

-»  doaualn(j)  n  doamin(ag)  a  0 

(IKPLIBS  (ADD  (GEMERAUZE-OKF  SG  STATE) 

(VALID-STATE  (GENERALIZE  SG  STATE))) 

(DISJOINT  (DOMAIN  S)  (DIECAIN  SG)  )  ) 


Since  the  domain  of  any  restriction  or  co-restriction  of  a  substitution  is  a  subset  of  the  original  domain,  and 
since  the  application  of  a  substitution  s  to  a  substitution  s'  has  the  same  domain  as  does  s'  (see  DOMAIN- 
APPLY-TO-SUBST  in  Section  3),  the  next  two  cases  follow  from  the  lemma  displayed  just  above. 

37.  Lemma  NAIN-HYPS-RBLIEVED-5-LEHHA-3 

ganaraliza-okp(ag, atata)  a  valld-atata (ganarallza (ag, state) ) 

— > 

domain (al)  n  domain (ag)  •  0  a  domain (a2)  n  domain (ag)  -  0 
where 

al  e  a  I  doaiain-1 

a2  -  (a  I-  domaln-1)  //  nulllTy-aubat (ag) 

(LET  ((SI  (RESTRICT  5  DOMAZN-1) ) 

(S2  (APPLT-TO-SDBST  (NDLLITT-SUBST  SG) 

(CO-RESTRICT  S  DOKAIN-1)  )  )  ) 

(IMPLIES  (AMD  (GEMERALIZE-OKP  SG  STATE) 

(VALID-STATE  (CTNERALIZB  SG  STATE))) 

(AMD  (DISJOINT  (DOMAIN  SI)  (DOMAIN  SG) ) 

(DISJOINT  (DOMAIN  S2)  (DOMAIN  SC))))) 


The  following  lemma  MAIN-HYPS-RELIEVED-5-LEMMA-4  handles  the  next  case. 
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39.  Lemma.  II&IM-BYPS-RBLISVB0-S-LB10a-4 


9«narallz«-okp(ag, atata)  a  valld-atata(9*narallza(sg, stata) ) 
-»  all-vars(ranga(sg) )  n  domain  (a7)  •  0 

(IMPLIES  (AMD  (CBMBRALIZB-OKP  36  STATE) 

(VALID-STATE  (GENERALIZE  SS  STATE))) 

(DISJOINT  (ALL-VARS  7  (RANGE  SG)) 

(D<»IAIN  SJ))i 


Let  US  argue  informally  for  the  correctness  of  this  lemma.  Assuming  its  hypotheses,  we  have: 

All-vax8 (Eang«(sg) )  o  domain (s/) 
as  {by  definition} 

all -vars  (range  (sg) )  n  domain  (5  |  domain-l) 
sa  (by  DOMAIN-RESTRICT  in  Section  3} 
all-vars  (range  (sg) )  n  domain  (r)  n  domain-1 
C  (by  axiom  introduced  for  VALXD-STATEJ 

all-vars  (range  (sg) )  n  2"^*  (generalize  (sg,  state) )  n  domain-1 
«  (by  definition  of  (SEMERALIZE^ 
all-vars (range (sg) ) 

n  {free  \  (domain- 1  n  all-vars  (range  (sg) ))  ] 
n  domain-1 

*  { trivial  set-theoretic  reasoning;  see  below) 

0 


How  would  a  person  reason  in  the  last  step?  A  natural  course  would  be  to  consider  an  arbitrary  z  and  show  that 
it  if  it  belongs  to  all-vars  (range  (sg) )  and  also  to  [free  \  (domain-l  n 
all-vars  (range  (sg) ) )  ] ,  then  it  does  not  belong  to  domain-1.  In  fact  the  analogous  fact  is  proved  as  a 
lemma  for  the  intersection  displayed  two  steps  earlier  in  the  informal  proof  above. 

3S.  Lemnu.  MAIN-HTPS-RELIEVED-5-LEHMA-4-NIT 


(  g«n«raIlz«-o)cp(ag,  stats)  a 
valld-stata (ganarallza (ag,  stats) )  a 
wit  e  all-vars (rangs (ag) )  a 
wit  E  doauiln(«)  ) 

— »  wit  E  domain-1 

(IMPLIES  (AND  (GENERALIZE-OKP  SG  STATE) 

(VALID-STATE  (GENERALIZE  SG  STATE)) 
(MEMBER  WIT  (ALL-VARS  F  (RANGE  SG)  )  ) 
(MEMBER  WIT  (DOMAIN  S)  )  ) 

(HOT  (MEMBER  WIT  DOMAIN  !)  )  ) 


We  have  one  final  technical  comment  on  the  proof  of  MAIN-HYPS-REL1EVED-5-LEMMA-4.  In  addition  to 
proving  the  lemma  MAIN-HYPS-RELIEVED-5-LEMMA-4-W1T  first  (as  a  rewrite  rule),  a  hint  is  also  given  to 
enable  the  lemma  DISJOINT-WIT-WITNESSES.  That  lemma  has  the  effect  of  reducing  the  statement  that 
all-vars  (range  (sg) )  is  disjoint  from  the  domain  of  si  to  the  question  issue  of  whether  a  particular  value 
could  belong  to  both  of  them.  For  a  description  of  that  lemma,  see  Section  3. 


The  final  case  goes  through  automatically,  though  here  it  is  crucial  that  s2  is  built  using 
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NULLIFY-SUBST;  see  the  lemma  DISJOINT-ALL-VARS-RANGE-APPLY-SUBST-NULLIFY-SUBST  in 
Section  3. 


40 .  Lemni*  tOIM-HYFS-RELIZVBO-S-LEMta-S 

gan«rallz«-olcp(ag.  stat*)  a  valld-atata(ganarallza(ag,  stata) ) 
->  all-vara  (rang*  (j2)  )  r>  doauLin(ag}  0 

(IMPLISS  (ADD  (aSMSRALZZB-OKP  3G  STATS) 

(VALID-STATS  (OSMBRALZZS  SC  STATS))) 

(DISJOINT  (ALL-VARS  S  (RANCS  52)) 

(DOMAIN  SC))) 


53.2  Proof  Of  the  lemma  MAIN.HYPS-RELIEVED-6 


Now  all  that  is  left  is  the  proof  of  the  lemma  MAIN-HYPS-RELIEVED-6.  Here  is  its  statement 

58.  Lemnu.  NAIN-HTPS-RBLISVSO-6 

g«iMraliz«-okp(ag,  stata)  a  valld-Btata(gacaraliza  (ag,  stata) ) 

-»  tbaoraa-llat  ( ((luw-f)  up)  /  (si  u  i2)) 

(IMPLISS  (AND  (GSNSRALIZS-OXP  SG  STATS) 

(VALID-STATS  (GSNBRALIZS  SG  STATS))) 

(TBSORBM-LIST  (SUSST  P  (APPEND  SI  52) 

(CONS  NEW.G  /»)))) 


Here  is  a  very  high-level  view  of  the  proof,  which  incidentally  should  show  why  we  chose  to  bring  in  the 
notion  of  “gen-closure”  Because  of  the  way  that  the  function  GEN-CLOStTRE  is  defined  (event  #10  above),  the 
set  domain-1  has  the  following  property:  for  every  goal  z  in  the  new  state  genttzaliz*  (sg,  state) ,  the 
set  of  finee  variables  in  that  state  that  occur  in  z  are  either  contained  in  domain-1  or  are  disjoint  from  it.  In  the 
former  case,  which  includes  the  case  z  =  new-g,  no  variable  occurring  in  z  is  in  the  domain  of  s2,  and  it  follows 
that  that  z/  {si  u  s2)  =  x/sl  =  x/s.  In  the  latter  case  we  similarly  have  z/  {si  u  s2)  =  x/s2.  Since  we 
have  already  dealt  with  the  case  z  =  new-g,  we  may  assume  that  z  €  p,  and  by  a  little  additional  technical 
argument  we  can  show  that  x/s2  is  an  instance  of  x/s.  So  we  have  that  x/  {si  u  s2)  is  an  instance  of  x/s, 
and  since  z/s  is  a  theorem  (by  definition  of  s  and  the  VALID-STATE  hypothesis),  so  is  x/  {si  u  s2) . 

Let  us  proceed  now  along  the  lines  of  the  mechanically-checked  proof.  By  opening  up  SUBST  and 
theorem-list  we  can  break  MAIN-HYPS-RELIEVED-6  into  the  following  two  goals. 

45.  Lemma.  MAIN-HYPS-RELIEVED- 6-FIRST 

g*narallz«'Okp (zg, stata)  a  valld-stata(ganarallza (sg, stata) ) 

-»  thaorani(/ieH'-f  /  (si  u  j2)  ) 

(IMPLIES  (AMD  (GENERALIZE-OKP  SG  STATE) 

(VALID-STATE  (GENERALIZE  SC  STATE))) 

(THEOREM  (SOBST  T  (APPEND  SI  S2)  NEW-G)  )  ) 
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57.  Lemma.  N]LZM-HYPS-RELIEVB0-6-RSST 

gan*raliz«-olcp  (ag,  stata)  a  valld-atata  (ganarallza  (ag,  atata) ) 

— >  thaoram-llat  Ip  /  (si  u  s2) ) 

(IHPLISS  (AMD  (CEMBMALIZB-OXP  SG  STATE) 

(VALID-STATE  (GENERALIZE  SG  STATE))) 

(TBEOREM-LIST  (SUBST  F  (APPEND  SI  S2)  P))) 

Let  US  consider  these  in  turn. 

5  J.2(l)  Proof  of  the  lemma  MAIN-HYPS-RELIEVED-6-FIRST,  Here  is  an  informal  proof  of  the  first  of 
these  two  lemmas.  We  begin  with  a  key  observation,  which  we  will  both  prove  and  use  presendy. 

(*)  domain  {s)  n  all-vara  (new-g)  £  domain-1 

Now  recall  the  lemma  SUBST-APPEND-NOT-OCClJR-2  (stated  in  Subsection  5.2  above)  which  says  if  no 
variable  of  a  term  z  belongs  to  the  domain  of  a  substitution  82  then  z  /  (si  u  82)  a  x  /  si.  The 
domain  of  s2  is  equal  to  domain  (s)  \  domain-1‘,  hence  the  requirement  for  SUBST-APPEND-NOT- 

OCCUR-2  that  domain  (s2)  be  disjoint  from  all-vars  («ew-g)  holds  by  (*).*  So  assuming  our  hypotheses 
of  generallze-okp (sg, state)  and  valid-state (generalize (sg, state) ) ,  we  may 
summarize  the  argument  as  follows. 
new-g  /  (si  u  s2) 

=  {try  the  Urrma  SUBST-APPEND-NOT-OCCUR-2  (cf.  Section  3)  and  (*)} 
new-g  /  si 

=•  (by  the  lemma  SUBST-RESTRICT  (cf.  Section  3)  and  (*)} 
new-g  /  j 

It  remains  to  check  that  (*)  holds.  Consider  the  following  lemma. 

44.  Lemma  GEM-CLOSDRE-CONTAINS-THIRD-ARG 
X  c  (TrM  n  vara) 

->  X  c  gan-cloaur« (goala, fraa, vara) 

(IMPLIES  (SUBSETP  X  (INTERSECTION  FREE  VARS)  ) 

(SUBSETP  X  (GEN-CLOSURE  GOALS  FREE  VARS))) 

If  we  apply  this  lemma  with  goals  :=  {new-g}  u  p,  free  =  free,  vars  =  all-vars  (new-g) ,  and  x  ;= 
domain  (j)  n  all-vars  (/lew-^) ,  the  resulting  instance  can  be  expressed  using  our  abbreviations  as 
follows. 


*The  lemmas  used  in  this  argument  are  DOM  AIN -CO-RESTRICT  from  "alisis. events"  and  DlSJOCsT-SET-DIFF-GENERAL  from 
"sets.events" 


40 


domain  (j)  n  »ll-vmrm  (new-g)  c  ^  all-vara  (Mw-g) )  ->  (*) 

(IMPLIES  (SOBSBtP  (IMTSRSBCTIOH  (DOMBIN  S)  (XLL-VUtS  NEW-G)) 

(INTBRSBCTIOM  FREE  (ALL-V&RS  NEW-G)  )  ) 

(•)) 

So  in  order  to  prove  (*),  it  suffices  to  prove  the  hypothesis  of  this  implication,  which  in  tum  follows  from 
domain  (s)  c  2"‘*(gan«Eallza<sg,  stata) )  ^  free 

The  first  inclusion  follows  from  the  fact  that  the  domain  of  s  is  contained  in  the  fi-ee  variables  of  the  new 
(generalized)  state,  which  is  part  of  the  VALID-STATE  hypothesis.  The  second  inclusion  is  just  the  lemma 
SUBSETP-CDR-GENERALIZE  from  Subsection  5.1  above.  This  concludes  the  proof  of  MAIN-HYPS- 
RELIEVED-6-FIRST. 


In  fact  we  close  with  one  technical  comment  The  lemma  CAR-GENERALIZE  is  proved  before  the 
lemma  GEN-CLOSURE-CONTAINS-THIRD-ARG  above  so  as  to  speed  up  the  proofs.  The  idea  is  that  we 
only  want  to  invoke  the  rather  hairy  definition  of  GENERALIZE  when  we  are  looking  at  goals,  not  when  we  are 
simply  asking  about  the  witnessing  substitution. 

42 .  Lemma  CBR-GBMBRXLIZB 

l*(g«n«c«lis«(ag,  <(9)  u  p,  ■ 

P 

(BQUBL  (CAR  (GEMBRALIZB  SO  SIATB) ) 

(COBS  (SOBST  T  (INVERT  SG)  (CAAR  STATE)) 

(CDAR  STATE))) 


5J.2(2)  Proof  of  the  lemma  MAIN-HYPS-RELIEVED-6-REST.  We  now  move  to  the  proof  of  our  final 
goal,  which  once  again  is: 

57.  Lemma.  KAIN-HTPS-RELIEVEO- 6-REST 

ganaxallza-o)cp(s9,  atat«)  a  valld-stat«(g«narallza(a9,  atata) ) 

-*  tbaoram-Xlat  (/>  /  (si  u  s2) ) 

(IMPLIES  (AND  (CBMERALIZE-OKP  SG  STATE) 

(VALID-STATE  (GENERALIZE  SG  STATE)  ) ) 

(THEOREM-LIST  (SOBST  F  (APPEND  SI  S2)  P)}) 


Let  US  begin  with  the  following  key  notion  suggested  by  the  informal  proof  given  above.  It  asserts  that  every 
goals’s  free  variables  are  either  contained  in  the  set  x  or  are  disjoint  from  x. 
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46.  Definitian  ALL-VUtS-DISJOZHT-OR-SOBSStP 
•11-vkrs-diB jolnt-or-«uba«tp (goala, f raa, x)  ■ 

(V  g  in  goala)  [  fra*  rt  all-varB(g)  c  >  v  fraa  n  all-vara(g)  n  x  -  0  ] 

(DSTN  ALl.-VMItS-DISJOIin-OR-St)BSBTP  (GOALS  FRBZ  X) 

(IF  (LZSTP  GOALS) 

(AMD  (OR  (SDBSBIP  (ZMTBRSBCTZOM  TREX  (ALL-VARS  T  (CAR  GOALS))) 

X) 

(DZSJOZMT  (ZMTBRSBCTZOM  FRBX  (ALL-VARS  T  (CAR  GOALS))) 

X)) 

(ALL-VARS-DZSJOIMT-OR-SOBSBTP  (CDR  GOALS)  ntXB  X)) 

T)) 


Observe  that  the  set  of  goals  p  has  the  above  property  with  respect  to  the  free  variables  of  the  generalized  state 
and  the  appropriate  “gen-closure”,  domain-1: 

52.  Lemint.  MAZM-BTPS-RBLZXVXO-6-RBST-LBMMA-2 

ganaraZisa-okptag, atata)  a  valld-atata(ganaralisa(Bg, stata)) 

-»  all-vara-dlajolnt-or-aubaatp(p,  2*^(gai>aralixa(Bg,  atata) ) ,  domaiit-1) 

(ZMPLZBS  (AMD  (GBMBRALZZB-OKP  SG  STATB) 

(VALXD-STATB  (GBMBRALZZB  SG  STATB))) 

(ALL-VARS-DZSJOIMT-OR-SDBSBTR  P  (CDR  (GBMBRALZZB  SG  STATB))  DOMAJN-1)) 


This  follows  from  the  definition  of  domain-I  and  the  following  observation.  Actually,  the  following  lemma 
relevant  in  the  special  case  (instance)  v.here  new-f  reA  is  2"**  (generalize  (sg,  state) ) ,  i.e.  the  set  of 
free  variables  of  the  new  (generalized)  state;  free  is  free;  goals  is  p;  g  is  g;  and  vars  is  domain- 1. 

51.  Lemma  ALL-VARS-DISJOIMT-OR-SUBSETB-GEN-CLOSURB 


naw-£raa  c  fraa 


all-vara-diajolnt-or-aubaatp(p,  naw-fraa,  gan-oloaura ((g)  p,  £raa,  vara)) 

(ZMPLZBS  (SUBSBTP  MEW-FREE  FREE) 

(ALL-VARS-DZSJOIMT-OR-SQBSBTP 
P  NEW-FREE 

(GEN-CLOSURE  (CONS  G  P)  FREE  VARS))) 


Let  US  attempt  to  finish  the  proof  of  our  remaining  goal  MAIN-HYPS-RELIEVED-6-REST  with  informal 
reasoning.  Assume  its  hypotheses.  Let  a  be  any  goal  in  p;  then  by  the  VALID-STATE  hypothesis,  we  have 
theorem  (x) .  Moreover,  the  lemma  MAIN-HYPS-RELIEVED-6-REST-LEMMA-2  above  implies  says  that 
the  set  of  free  variables  occurring  in  x  is  contained  in  or  disjoint  from  domain-I.  Hence  there  arc  two  cases. 
We  follow  the  outline  given  at  the  start  of  this  subsection  5.3.2  (just  below  the  statement  of  the  lemma 
MAIN-HYPS-RELIEVED-6). 

Case  all-vars  (x)  c  domain-1.  Then  since  domain  (52)  =  domain  (5)  \  domain-I  Qyy 
definition  of  s2  and  the  lemmas  DOMAIN-CORESTRICT  and  DOMAIN-APPLY-TO-SUBST  in  Section  3),  it 
follows  from  the  case  hypothesis  that 
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(1)  «ll-vars(x)  n  domain  (52)  ■  0. 


Therefore 

x/(57  u  s2) 

*  fTv  (1)  together  with  the  lemma  SUBST-APPEND-NC)T-C)CCTJR-2  (cf.  Section  3}} 
x/sl 

“  {by  (1)  together  with  the  lemma  SUBST-RESTRICTT  (c/.  Section  3)} 
x/5 


Case  2:  all-vars  (x)  n  domain-1  >  0.  The  argument  is  a  little  more  involved  in  this  case, 
because  s2  is  not  simply  a  co-restriction  of  s.  Recall  that  s2  is  defined  as  (5  I"  domain-1)  // 
nulllfy-subst  (sg) .  This  time  we  argue  as  follows. 
x/ {si  u  s2) 

«  {by  the  Umma  SUBST-APPEND-NOT-OCCUR-l  (cf.  Section  3)} 
x/s2 

=  {by  definition} 

x/ ( (5  |~  domain-1)  //  nulllfy-aubat  (sg) ) 

»  {as  we  will  show  below} 

(x/(5  I"  domain-1))  /  nulllfy-subst  (sg) 

=  {by  the  lemma  SUBST-CO-RESTRICT  (cf.  Section  3)} 

Ix/s)  /  nulllfy-subst  (sg) 


Therefore  x/  (si  u  s2)  is  a  theorem  (cf.  event  #54  in  ’‘generaUze.events"  in  the  Appendix,  which  we  omit 
here),  since  it  is  an  instance  of  x/s  (which  is  a  theorem  by  the  VALID-STATE  hypothesis).  But  it  remains  to 
explain  the  reason  “as  we  will  show  below”  for  the  penultimate  step  above.  The  following  lemma  is  the  key. 
It  is  applied  automatically  by  the  theorem  prover’s  rewriter  using  the  substitution  (sg  nulllfy- 
subst  (sg),  s  (5  I-  domain-1)). 

S3 .  Lemma  SOBST-APPLY-IO-SUBST-ELIKtN&TOR 

[  v«rlabl«-listp(doa>aln(sg) )  a 
variabla-llstp (domain (a) )  a 
tarng>(x)  a 

doamin(ag)  ri  all-vars(x)  ■  0  ] 

— » 

X  /  (a  //  sg)  -  (X  /  a)  /  ag 

(XMPLIXS  (AND  (VARXABLE-LZSTF  (OOMAZN  SC)) 

(VARIABLB-LISTP  (D<»IA1N  S) ) 

(TSRMP  T  X) 

(DISJOINT  (DOKAIN  SG)  (ALD-VARS  T  X) ) ) 

(EQUAL  (SDBST  T  (AFPLY-TO-SDBST  SG  S)  X) 

(SDBST  T  SG 

(SDBST  T  S  X)))) 


Notice  that  by  the  lemma  E)OMAIN-NULLIFY-SUBST  (cf.  Section  3),  we  can  safely  equate  the  domains  of  sg 
and  nulllfy-subst  (sg) .  But  why  can  we  assume  that  the  domain  of  sg  is  disjoint  from  the  variables  of 
X?  Recall  that  x  is  an  arbitrary  member  of  the  set  of  goals  from  p  that  (by  the  Case  2  hypothesis)  do  not 
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intersect  domain-1.  That  is,  the  following  lemma  should  suffice  to  conclude  the  proof.  (The  definition  of  the 
function  60ALS-DZSJOINT-FROH-VARS  will  follow.) 

50.  LenuiM  iazif-HirPS-RZLIXVBO-6-REST-LSMMa-l 

[  ganaralisa-okptsg, atata)  a  valld-stata(ganarallza(sg, stata) )  ] 

— » 

[  domain (ag)  n 

ail-vara(goala-dlajolnt-froa-vaza(p,  2*^(ganarallsa  (ag,  stata) ) ,  domaiii-l)) 

-  0] 

(IHPLZBS  (AMD  (GBMERALZZS-OIIP  SC  STATS) 

(VALZO-STATB  (CBMBRALZZS  SC  STATS))) 

(DISJOINT  (DOMAIN  SC) 

(AZX-VAKS  r  (COALS-DISJOINT-rSOM-VARS 

P  (CDS  (GSMSHALIZS  SC  STATS)) 

DOMAIN  !) ) ) ) 


And  here  is  the  obvious  definition  of  (SOALS-DIS  JOIMT-ntOM-VARS,  followed  by  an  important  property  of 
this  function. 

47 .  Deftnition  of  COALS-DISJOINT-FROM-VASS 

goals-dls joint-ezoa-vazs (goals, fzaa, vaza)  • 

(g  e  goals;  fzaa  n  all-vazs(g)  >•  0) 

(dafn  goals-dls joint-fzom-vazs  (goals  fzaa  vazs) 

(if  (liatp  goals) 

(lot  ( (cuzzant-fzaa-vazs  (Intazsaction  fzaa  (all-vazs  t  (caz  goals) ) ) ) ) 

(if  (disjoint  ouzzant- fzaa- vazs  vazs) 

(cons  (car  goals) 

(goals-disjoint-fzon-vazs  (odz  goals)  fzaa  vazs) ) 
(goals-disjoint-fzom-vazs  (cdz  goals)  fzaa  vazs) ) ) 

nil)) 

48 .  Lemma  COALS-DISJOIMT-FROM-VARS-SOBSETP 

goals-dls joint-fzom-vazs (goals, fzaa, vazs)  c  goals 

(SDBSBTF  (CQALS-DISJOINT-FROM-VARS  COALS  FBSS  VARS) 

GOALS) 

Event  #49,  DISJOINT-ALL-VARS-GOALS-DISJOINT-FROM-VARS,  is  merely  a  technical  lemma  that  is 
necessary  because  of  the  theorem  prover’s  difficulty  in  relieving  hypotheses  of  rewrite  rules  that  contain 
variables  not  bound  in  the  conclusion.  We  omit  its  statement  here. 


We  conclude  by  summarizing  the  top-level  structure  of  the  proof  of  the  lemma  MAIN-HYPS- 
RELIEVED-6-REST,  which  is  motivated  by  the  discussion  above.  This  lemma  is  an  immediate  consequence  of 
the  following  lemma,  in  conjunction  with  the  lemma  MAIN-HYPS-RELIEVED-6-REST-LEMMA-1  (event 
#50)  and  MAIN-HYPS-RELIEVED-6-REST-LEMMA-2  (event  #52),  already  explained  above,  which  are  used 
to  relieve  its  last  two  hypotheses.  Notice  that  this  lemma  is  somewhat  more  abstract  than  those  two,  in  that  it 
refers  to  arbitrary  values  of  p,  s,  domain-1,  and  new-free. 


56.  Lemmi  KAIM-HYSS-RBLIEVBD-6-REST-CENERALIZATION 
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[  var-a\ibatp(a9)  a 
vax-aubatp(a)  a 
domain (a)  c  naw-Craa  a 
taxs^-llat  (p)  a 
thaoraa-liat  (p/a)  a 

doamla(a9}  n  all-vara(gaala-dia joint-from-vara (p, naw-fraa, domaln-1) )  ■0a 
all-vara-dla joint-or-aubaatp (p, naw-fraa, dooaln-l)  ] 

-» 

thaoraa-liat (p/(al  u  a2)) 
where 

al  ■  a  I  doaain-1 

a2  >•  (a  I-  doaoin-l)  //  nullify-aubat (ag) 

(LBT  ((SI  (BZSTRXCT  S  DOMhlN-l) ) 

(S2  (APFLY-TO-SOBST  (MULLirT-SIIBST  SS) 

(CO-RZSTRZCT  S  IXMOIll-l)  )  )  ) 

(IMPLIXS  (JUID  (VXR-SnBSTP  SC) 

(VM-SOBSTP  S) 

(SOBSXTP  (DOiaZH  S)  MBW-TKZX) 

(TSBMP  P  9) 

(THBORBM-LZST  (SUBST  F  S  F)) 

(DISJOINT  (DOKhlM  SC) 

(AIX-VXRS  r  (COALS-DISJOIVT-FROH-VAItS 
F  mt-FRSS  DOmiN-l))) 

(ALL-VUS-DISJOIMT-OR-SDBSKTF  F  NKW-FHEZ  DOMhlM-l)) 
(TBBOREN-UST  (SUBST  F  (BFFBMD  SI  S2)  F) ) ) ) 


The  theorem  prover  implements  informal  arguments  presented  above  when  proving  this  theorem  by 
induction  on  the  length  of  p.  However,  we  encountered  difflculties  at  first  in  finding  the  right  argument,  at  least 
during  our  second  proof  effort  (see  Subsection  1.2).  The  remainder  of  this  section  contains  an  edited  version  of 
the  comments  made  during  that  proof,  just  after  completion  of  MAIN-HYPS-RELIEVED-6-REST-LEMMA-2 
(so  that  all  that  was  left  was  the  proof  of  MAIN-HYPS-RELIEVED-6-REST-GENERAL1ZATION).  All  of  this 
below  may  be  safely  omitted;  it’s  there  simply  for  those  familiar  with  the  Boyer-Moore  theorem  prover  who 
want  to  dig  a  little  deeper  into  the  details  of  the  proof  effort. 

5J.2(3)  Some  comments  on  the  proof  of  the  lemma 

MAIN-HYPS-RELIEVED-6-REST-GENERALIZATION.  Finally,  all  that’s  left  is  MAIN-HYPS- 
RELIEVED-6-REST-GENERALIZATION.  An  attempted  proof  by  induction  of  that  theorem  results  in  1 1 
goals,  all  but  one  of  which  goes  through  automatically.  The  remaining  one  is  as  follows. 
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(XMPLZSS 

(AMD 

(DISJOINT  MSW-FRBS 

(INTBRSBCTIOM  DOMAIM-1 

(ALL-VARS  T  X))) 

(THSORBM-LIST 
(SQBST  r 

(APPEND  (RESTRICT  S  DOMAIM-l) 

(APPLT-TO-SOBST  (MtTLLIPy-SUBST  SC) 

(CO-RESTRICT  3  DOMAIN-1))) 

»> 


(MAPPING  SC) 

(VARIABLB-LISTP  (DOMAIN  SC)) 

(TERMP  P  (RANGE  SG) ) 

(MAPPING  S) 

(VARIABIR-LISTP  (DOMAIN  S) ) 

(TERMP  P  (RANGE  S) ) 

(SDBSETP  (D<N(AXM  S)  MEN-PRXE) 

(TERMP  T  Z) 

(TERMP  P  Z) 

(THEOREM  (SUBST  T  S  X) ) 

(THEOREM-LIST  (SOBST  P  S  Z) ) 

(DISJOINT  (DOMAIN  SG)  (ALL-VARS  T  Z)) 

(DISJOINT  (DOMAIN  SO) 

(ALL-VARS  P 

(GOALS-DISJOIMT-PROM-VARS  Z  NEW-FREE  DOMAIN-1))) 
(ALL-VARS-DISJOIMT-OR-SOBSETP  Z  MEW-FREE  DOMAIM-1)) 

(THEOREM  (SDBST  T 

(APPEND  (RESTRICT  S  DOMAIM-1) 

(APPLY-TO-SOBSI  (MDLLIFY-SOBST  SC) 

(CO-RESTRICT  S  DOMAIN-1))) 


X)>) 


Let  US  attempt  to  prove  this  goal  with  PC-NQTHM,  thus  seeing  why  the  rewriter  can’t  handle  it 
automatically.  With  the  aid  of  PC-NQTHM’s  SHOW-REWRITES  command,  we  see  that  we  would  like  to 
rewrite  with  the  lemma  SUBST-APPEND-NOT-OCCUR-1  (see  Section  3)  to  replace  the  conclusion  with: 


(THEOREM  (SOBST  T 

(APPLY-TO-SOBST  (MULLIFY-SUBST  SG) 

(CO-RESTRICT  S  DOMAIN-1) ) 


X)) 


However,  in  order  to  do  that  we  see  (using  PC-NQTHM’s  REWRITE  command)  that  we  need  to  know  that 

under  the  hypotheses,  the  following  holds. 

(DISJOINT  (ALL-VARS  P 

(DOMAIN  (RESTRICT  S  DOMAIN-1)  )  ) 

(ALL-VARS  T  X) ) 


One  would  think  that  this  follows  quite  clearly  from  just  two  of  the  hypotheses: 

(DISJOINT  NEW-FREE 

(INTERSECTION  DOMAIN-1 

(ALL-VARS  T  X))) 

(SUBSETP  (DOMAIN  S)  NEW-FREE) 

This  is  one  of  those  cases  of  a  problem  with  free  variables  in  hypotheses  that  are  so  annoying.  The  lemma 
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DOMAIN-RESTRICT  has  been  proved  in  "alists.events"  (see  also  Section  3)  to  help  with  this.  But  then  we 
lose  the  e^ect  of  an  existing  lemma  which  applied  directly  to  simplify  the  term  (all-vars  r  (DOMAIN 
(RESTRICT  S  D<MAIN-1) ) )  (a  familiar  phenomenon  for  those  familiar  with  Knuth-Bendix  completion). 
The  lemma  VARIABLE-LISTP-INTERSECnON  has  since  been  proved  in  "terms.events"  to  take  care  of  that 
problem. 

Now  it  looks  like  the  rewrite  using  SUBST-APPEND-NOT-OCCUR-1  should  succeed,  since  all 
hypotheses  are  relieved  by  rewriting  alone.  Just  to  make  aire,  we  back  up  in  PC-NQTHM  and  see  if  the  BASH 
command  (which  calls  the  Boyer-Moore  prover’s  simplifier)  uses  this  rule  on  our  original  goal.  Sure  enough,  it 
does. 


Having  successfully  applied  PC-NQTHM’s  REWRITE  command  and  relieved  the  resulting  hypothesis, 
we  now  have  a  conclusion  that  is  the  one  displayed  above,  i.e. 


(THBORBM  (SUBST  T 

(APPLY-TO-StmST  (NULLIFT-SOBST  SC) 

(CO-RSStRZCT  S  DOMMM-1)) 


X)) 


Since  (as  we  already  know)  (NULLirx-SXiBST  SG)  has  the  same  domain  as  does  SG,  and  since  the 

hypotheses  imply  that  (DOMAIN  SG)  is  disjoint  from  the  variables  of  X,  the  SUBST  expression  in  this 

conclusion  should  simplify  to: 

(SUBST  T  (MULLUT-SUBST  SS) 

(SUBST  T  (CO-RBSTRXCT  S  DOWlZM-l) 

X)) 


We  therefcxe  need  the  lemma  SUBST-APPLY-TO-SUBST-ELIMINATOR  below  (which  is  used  under  the 
substitution  where  S  gets  (CO-RESTRICT  S  DOMAIN-1)  and  SG  gets  (NULLIFY-SUBST  SG)).  [And 
so  on . ] 
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Appendix  A 

Events  Files:  sets,  alists,  terms,  and  generalize 


THE  FILE  "fcu.evenu” 

;;  Raqulraa  daftbaozy  anhaaoaoMnt . 

;;  Raqulras  only  gzound-saro  thaozy,  nqtha  aoda. 

(satq  avanta  '  ( 

;;  Sata;  Matt  Kauteann,  Daa.  1989,  zaviaad  Mazeh  1990.  Tha  fizat  faw 
;;  avanta  ara  aoaw  baala  avanta  about  liata.  I'll  taka  tba  appzoaeb 
;  tbat  all  tbaaa  baala  funotlena  will  ba  dlaablad  onoa  anough 
;;  algabzala  propartlaa  bava  baan  pzovad.  Tba  fizat  two  '.ammaa, 
UQICTB-COMS  and  UMCTB-MLISTP ,  zaflaot  tbla  daclaion.  I  auapact 
;;  tbat  it' a  a  win  in  big  proofa  to  kaap  baaio  functiona  dlaablad. 

; ;  Tbaoriaa : 

;  (daftbaozy  aat-dafna 

(langtb  propazp  fix-pzopazp  aaabar  appand  aubaatp  dalata 
dia joint  Intazaaction  aat-diff  aatp) ) 

(dafn  langtb  (x) 

(if  (llatp  X) 

(addl  (langtb  (adz  x) ) ) 

0)) 

(pzova-loaaaa  langtb-nliatp  (zawzita) 

(iMpliaa  (nliatp  x) 

(aqoal  (langtb  x)  0))) 

(pzova-laaaw  langtb-aona  (zawzita) 

(agual  (langtb  (oona  a  x) ) 

(addl  (langtb  x)))) 

(pzova-laaaM  langtb-appand  (zawzita) 

(aqual  (langtb  (appand  x  y) ) 

(plua  (langtb  x)  (langtb  y)))) 

(diaabla  langtb) 

(pzova-laona  appand-aaaoc  (zawzita) 

(agual  (appand  (appand  x  y)  z) 

(appand  x  (appand  y  z)))) 

(pzova-lanna  zMobaz-cona  (zawzita) 

(agual  (maabaz  a  (aons  x  1) ) 

(or  (agual  a  x) 

(nanbaz  a  1) ) ) ) 

(pzovo-laozaa  manbaz-nliatp  (zawzita) 

(la^liaa  (nliatp  1) 

(not  (naabaz  a  1)))) 

(dlsabla  oambar) 

(dafn  oubsatp  (x  y) 

(if  (nliatp  X) 
t 

(and  (mambaz  (caz  x)  y) 

(subsatp  (cdr  x)  y) ) ) ) 


(dafn  aubaotp-wlt  (x  y) 


sets.events 
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(If  (nllatp  x) 
t 

(If  (naabar  (oac  x)  y) 

(aubaatp-wit  (cdr  x)  y) 

(car  x>))) 

(prova-laaMa  aubaatp-wlt-wltnaaaaa  (raarita) 

;  for  ocoaalonal  uaa  la  aaaay  proofa;  it  and  Ita  laoaa  ara  kapt  dlaablad 
(aqual  (aubaatp  x  y) 

(not  (and  (aanbar  (aubaatp-wit  x  y)  x) 

(not  (aamhar  (aubaatp-wit  x  y)  y) ) ) ) ) ) 

(prowa-laaaw  aubaatp-nlt-wltnaaaaa-ganaral-1  (rawrita) 

(l^llaa  (and  (not  (aanbar  (aubaatp-wit  x  y)  x) ) 

(laamhar  ax)) 

(aaabar  ay))) 

(prova-lanu  aubaatp-wit-wltnaaaaa-ganaral-2  (rawrita) 

(lapllaa  (and  (oMaibar  (aubaatp-wit  x  y)  y) 

(aaabar  a  x) ) 

(aaabar  ay))) 

(dlaabla  aubaatp-wlt-wltnaaaaa) 

(diaabla  aubaatp-wlt-wltnaaaaa-^anaral-l) 

(dlaabla  aubaatp-wlt-nltnaaaaa-ganaral-2) 

(prova-laaaa  aubaatp-cona-l  (rawrita) 

(aqual  (aubaatp  (cona  a  x)  y) 

(and  (aaabar  a  y)  (aubaatp  x  y) ) ) ) 

aubaatp-eona-2 
(rawrita) 

(laq>llaa  (aubaatp  1  a) 

(aubaatp  1  (cona  a  a)))) 

aubaatp-raflaxlvlty 
(rawrita) 

(aubaatp  x  x) ) 

cdr- aubaatp 
(rawrita) 

(aubaatp  (cdr  x)  x) ) 

aaabar- aubaatp 
(rawrita) 

(lo^liaa  (and  (aaabar  x  y)  (aubaatp  y  z) ) 

(aaabar  x  z) ) ) 

aubaatp-la-tranaltlva 
(rawrita) 

(ia^llaa  (and  (aubaatp  x  y)  (aubaatp  y  z) ) 

(aubaatp  x  z))) 

aanbar-appand  (rawrita) 

(aqual  (aaabar  a  (appand  x  y) ) 

(or  (aaabar  a  x)  (oiaabor  a  y) ) ) ) 

(prova-laozDa  aubaatp-appand  (rawrita) 

(aqual  (aubaatp  (appand  x  y)  z) 

(and  (aubaatp  x  z)  (aubaatp  y  z)))) 

(prova-laaaia  aubaatp-of-appand-aufflcianey  (rawrita) 

(Inpliaa  (or  (aubaatp  a  b)  (aubaatp  a  c) ) 

(axibaatp  a  (appand  b  c)  )  )  ) 

(prova-laima  atibaatp-nliatp  (rawrita) 

(Inpllaa  (nllatp  x) 

(and  (aubaatp  x  y) 

(aqual  (aubaatp  y  x) 


(prova-l« 


(prova-laaau, 


(prova-la 


(provo-la 


(prova-la 


(prova-lamma 
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(nllatp  y) ) ) ) ) 

(prova-laana  aubaatp-oona-not-ataiDbar  (rawrlta) 
(lapliaa  (not  (aiaaibar  i  x) ) 

(•qoal  (aubaatp  x  (oona  >  v) ) 
(aubaatp  x  v)))) 


(dtaabla  aubaatp) 

(dafn  propaxp  (x) 

(it  (llatp  X) 

(propatp  (odr  x)) 

(•qoal  X  nil) ) ) 

(dafn  flx-pxopaxp  (x) 

(if  (llatp  X) 

(cona  (oax  x) 

(flx-pxopaxp  (cdr  x) ) ) 

nil)) 


(ptova-loana  pxoparp-flx-propatp  (rawrlta) 
(proparp  (£lx-proparp  x) ) ) 

(prova-laaaM  flx-preparp-propazp  (rawrlta) 
(laipllaa  (proparp  x) 

(aqual  (flx-proparp  x)  x))) 

(prova-laaau  proparp-oona  (rawrlta) 

(aqual  (proparp  (oona  x  y) ) 

(proparp  y) ) ) 

(prova-laana  proparp-nllatp  (rawrlta) 
(lapllaa  (nllatp  x) 

(aqual  (proparp  x) 

(aqual  X  nil)))) 

(prova-laana  £lx-proparp-cona  (rawrlta) 
(aqual  (flx-proparp  (cona  x  y) ) 

(oona  X  (flx-proparp  y)))) 

(prova-laana  flx-proparp-nllatp  (rawrlta) 
(lo^llaa  (nllatp  x) 

(aqual  (flx-proparp  x) 
nil) ) ) 


(prova-laana  proparp-appand  (rawrlta) 
(aqual  (proparp  (appand  x  y) ) 
(proparp  y) ) ) 


(prova-laana  flx-proparp-appand  (rawrlta) 
(aqual  (flx-proparp  (appand  x  y) ) 

(appand  x  (flx-proparp  y)))) 


(prova-laana  appand-nll  (rawrlta) 
(aqual  (appand  x  nil) 

(flx-proparp  x) ) ) 


(dafn  dalata  (x  1) 

(If  (llatp  1) 

(If  (aqual  x  (car  1) ) 

(cdr  1) 

(cona  (car  1)  (dalata  x  (cdr  1) ) ) ) 

D) 


(prova-laana  proparp-dalata 
(aqual  (proparp  (dalata  x 
(proparp  1) ) ) 


(rawrlta) 

D) 


(dafn  dlajoint  (x  y) 


sets.events 
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(If  (ll«tp  X) 

(and  (not  (ataadaor  (oar  x)  y) ) 

(disjoint  (cdr  x)  y) ) 
t)) 

(dafn  disjoint-wit  (x  y) 

;  for  oooasional  uso  in  SMSsy  proofs;  it  and  tha  following  lomma  aro  leapt  disablad 
(if  (listp  X) 

(if  (sMsdiar  (oar  x)  y) 

(oar  X) 

(disjoint-wit  (odr  x)  y) ) 
t)) 

(prova-lasna  disjoint-wit-witnassas  (rawrita) 

(aqoal  (disjoint  x  y) 

(not  (and  (sMsibar  (disjoint-wit  x  y)  x) 

(BMsbar  (disjoint-wit  x  y)  y) ) ) ) ) 


(disabla  disjoint-wit) 

(disabla  disjoint-wit-witnassas) 

(dafn  intaraaotion  (x  y) 

(if  (listp  X) 

(if  (oMsibar  (oar  x)  y) 

(oona  (oar  x) 

(intaraaotion  (odr  x)  y)) 

(intaraaotion  (cdr  x)  y) ) 
nil)) 

(prova-lasBM  proparp-intarsaction  (rawrita) 

(proparp  (intaraaotion  x  y) ) ) 

(dafn  sat-diff  (x  y) 

(if  (listp  X) 

(if  (awadiar  (oar  x)  y) 

(sat-diff  (odr  x)  y) 

(eons  (car  x)  (sat-diff  (cdr  x)  y) ) ) 
nil)) 

(prova-lasBa  proparp-sat-diff  (rawrita) 

(proparp  (sat-diff  x  y) ) ) 

(dafn  satp  (x) 

(if  (not  (listp  X)) 

(aqual  x  nil) 

(and  (not  (maiabar  (car  x)  (cdr  x) ) ) 

(satp  (cdr  x) ) ) ) ) 

(prova-laaana  satp-la^llaa-proparp  (rawrita) 

(la^lias  (satp  x) 

(proparp  x))) 

(disabla  proparp) 

(dafthaory  sat-dafns 

(langtb  proparp  flx-proparp  maiDbar  appand  subsatp  dalata 
disjoint  intarsaotion  sat-diff  satp  proparp)) 

;  Sat  thaory  lasnas 

(prova-laama  dalata-eons  (rawrita) 

(aqual  (dalata  a  (cons  b  x) ) 

(if  (aqual  a  b) 

X 

(cons  b  (dalata  a  x) ) ) ) ) 

(prova-lanma  dalata-nllstp  (rawrita) 

(Inplias  (nllstp  x) 
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(•qual  (d«l*t*  ax)  x) ) ) 

<prov«-l«ana  llatp-dalata  (rawrita) 

(aqual  (listp  (dalata  x  1) ) 

(If  (llatp  1) 

(or  (not  (a^al  x  (car  1) ) ) 

(listp  (cdr  1))) 

f))) 

(pxova-laana  dalata-oon-Banbar  (rawrlta) 

(ia^llas  (not  (sMoibar  x  y) ) 

(aqual  (<lalata  x  y)  y) ) ) 

(prova-lanaa  dalata-dalata  (rawrlta) 

(aqual  (dalata  y  (dalata  x  s) ) 

(dalata  x  (dalata  y  s) ) ) ) 

(prova-laama  oMoibar-dalata  (rawrlta) 

(la^llaa  (aatp  x) 

(aqual  (naabar  a  (dalata  b  x) ) 

(and  (not  (aqual  a  b) ) 

(aaabar  a  x))))) 

(prowa-laaaa  aatp-dalata  (rawrlta) 

(l^pllaa  (aatp  x) 

(aatp  (dalata  a  x) ) ) ) 

(dlaabla  dalata) 

(prova-laama  dlajolnt-cona-1  (rawrlta) 

(aqual  (disjoint  (cona  a  x)  y) 

(and  (not  (naabar  ay)) 

(disjoint  X  y) ) ) ) 

(prova-laaaui  dlsjolnt-aoos-2  (rawrlta) 

(aqual  (disjoint  x  (eons  a  y) ) 

(and  (not  (aaabar  a  x) ) 

(disjoint  X  y) ) ) ) 

(prova-laaaa  disjolnt-nllstp  (rawrlta) 

(la^llas  (or  (nlistp  x)  (nllatp  y) ) 

(disjoint  X  y) ) ) 

(prova-lanaa  dlsjolnt-synBWtry  (rawrlta) 

(aqual  (disjoint  x  y) 

(disjoint  y  X) ) ) 

(prova-laana  dis jolnt-appand-rlght  (rawrlta) 

(aqual  (disjoint  u  (appand  y  z)) 

(and  (disjoint  u  y) 

(disjoint  u  z) ) ) ) 

(prova-laana  dls jolnt-appand-laft  (rawrlta) 

(aqual  (disjoint  (appand  y  z)  u) 

(and  (disjoint  y  u) 

(disjoint  z  u) ) ) ) 

(prova-laana  dls jolnt-non-anabar  (rawrlta) 

(lo^llas  (and  (oiaaibar  a  x) 

(owabar  a  y) ) 

(not  (disjoint  x  y) ) ) } 

(prova-laama  dis joint-subsatp-oionotona-aacond  (rawrlta) 
(ioipllas  (and  (subsatp  y  z) 

(disjoint  x  z) ) 

(disjoint  X  y) ) ) 

(prova-laama  subsatp-dls jolnt-2  (rawrlta) 

(loqpllas  (and  (subsatp  x  y) 
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(disjoint  y  z)) 

(disjoint  s  X) ) ) 

(provs-lsszBS  subsstp-dls jolnt-1  (zsHrlts) 

(Ispllss  (and  (subsatp  x  y) 

(disjoint  y  z)) 

(disjoint  X  z) ) 

((us*  (dls jolnt-synsn*tzy  (x  x)  (y  z))) 

(dlsabl*  dlsjolnt-syanatzy) ) ) 

(prov*-l*sBia  subs*tp-dls jolnt-3  (rawrlt*) 

(Ispllos  (and  (subsatp  x  y) 

(disjoint  z  y) ) 

(disjoint  XX))) 

(dlsabl*  disjoint) 

(prova-lamza  Intarsactlon-dlsjolnt  (rawrlt*) 

(aqual  (aqual  (Intarsactlon  x  y)  nil) 

(disjoint  x  y) ) ) 

(prova-lasBia  Intazsaotlon-nllstp  (zawrlt*) 

(la^llas  (or  (nllstp  x)  (nllstp  y) ) 

(aqual  (intarsaotlon  x  y)  nil) ) ) 

(prova-lanna  OMabar-lntaraaotlon  (rawrlta) 

(aqual  (zMSibar  a  (Intarsactlon  x  y)) 

(and  (aambar  a  x)  (laaaibar  a  y) ) ) ) 

(prova-lasBui  subsatp-lntarsactlon  (rawrlta) 

(aqual  (subsatp  x  (Intarsaotlon  y  z) ) 

(and  (subsatp  x  y)  (subsatp  x  z))) 

((Induct  (subsatp  x  y) ) ) ) 

(preva-laana  lnt*rsaotion~synMtsy  (rawrlta) 

(subsatp  (Intarsaotlon  x  y) 

(Intarsactlon  y  x) ) ) 

(prova-lassaa  Intarsactlon-cons-l  (rawrlta) 

(aqual  (Intarsaotlon  (cons  a  x)  y) 

(If  (naobar  a  y) 

(cons  a  (Intarsactlon  x  y) ) 

(Intarsaotlon  x  y) ) ) ) 

(prova-lasana  lnt*rs*ctlon-cons-2  (rawrlta) 

(Isqillas  (not  (mambar  a  y) ) 

(aqual  (Intarsactlon  y  (cons  ax)) 

(Intarsactlon  y  x) ) ) ) 

; ;  Tb*  following  Is  naadad  bacausa  DISJOINT-INTER5ECTIOH-COMMUTER, 

; ;  addad  during  polishing,  causad  th*  proof  of 

;;  DISJOINT-DOMAIH-CO-RESTRICT  (In  "allsts.avants" )  to  fall. 

(prova-lanma  lntarsactlon-cons-3  (rawrlta) 

(In^llas  (tsambar  w  x) 

(aqual  (subsatp  (Intarsactlon  y  (cons  w  z) ) 

X) 

(subsatp  (Intarsactlon  y  z) 

X))) 

( (anabla  Intarsactlon) ) ) 

(prova-lamma  Intarsactlon-cons-subsatp  (rawrlta) 

(subsatp  (intarsactlon  x  y) 

(Intarsactlon  x  (cons  a  y) ) ) ) 

(prova-lansna  aubsatp-lntarsactlon-laft-1  (rawrlta) 

(subsatp  (intarsactlon  X  y)  x) 

( (anabla  Intarsactlon) ) ) 


sets.events 


53 


(pcova-laaiu  •ubaatp-lntaraaction-laft-2  (rawrlta) 

(aubaatp  (Intaraactlon  x  y)  y) 

( (anabla  Intaraactlon) ) ) 

(prova-laoma  aubaatp-lntaraaction-aufflciancy-1  (rawrlta) 

(Iqpllaa  (aubaatp  y  a) 

(aubaatp  (Intaraactlon  x  y)  a) ) 

( (anabla  Intaraactlon) ) ) 

(prova-laaana  aubaatp-lntaraactlon-au£flolancy-2  (rawrlta) 

(li^pllaa  (aubaatp  y  a) 

(aubaatp  (Intaraactlon  y  x)  a)) 

( (anabla  Intaraactlon) ) ) 

(prova-laaana  Intaraactlon-aaaoclatlva  (rawrlta) 

(aqual  (Intaraactlon  (Intaraactlon  x  y>  a) 

(Intaraactlon  x  (Intaraactlon  y  a) ) ) 

( (anabla  Intaraactlon) ) ) 

(prova-laaana  lntaraactlon-allad.natlon  (rawrlta) 

(Impllaa  (aubaatp  x  y) 

(aqfual  (Intaraactlon  x  y) 

(flx-proparp  x)))) 

(prova-laaaia  langth-lntaraactlon  (rawrlta) 

(not  (laaap  (langth  x) 

(langth  (Intaraactlon  x  y) ) ) ) ) 

(prova-laaana  aubaatp-lntaraactlon-mambar  (rawrlta) 

(In^llaa  (and  (aubaatp  (Intaraactlon  x  y)  z) 

(not  (nambar  a  z))) 

(and  (lapllaa  (mambar  a  x) 

(not  (manbar  ay))) 

(Inpllaa  (nMobar  a  y) 

(not  (aMaibar  a  x) ) ) ) ) ) 

;;  Tba  following  waan't  naadad  In  tba  proof  about  ganarallzatlon,  but  la  a  nlca  rula. 
(prova-lanaia  Intaraactlon-appand  (rawrlta) 

(aqual  (Intaraactlon  (appand  x  y)  z) 

(appand  (Intaraactlon  x  z)  (Intaraactlon  y  z)))) 

;;  I'd  ratbar  juat  prova  that  Intaraactlon  dlatrlbutaa  over  appand  on 
;;  tba  rlgbt  but  tbat  lan't  trua.  Congruanca  ralatlona  would  probably 
;;  balp  a  lot  wltb  tbat  problam.  In  tba  maantlma,  I  contant  myaalf 
;  wltb  tba  following. 

(prova-lanana  dla jolnt-lntaraectlon-appand  (rawrlta) 

(aqual  (dla joint  x  taraactlon  y  (appand  zl  z2) ) ) 

(and  (dlajolnt  x  (Intaraactlon  y  zl) ) 

(dla joint  X  (Intaraactlon  y  z2)))) 

( (anabla  Intaraactlon) ) ) 

;;  Saa  coamant  juat  abova  DISJOINT-INTERSECTION-AFPEND 
(prova-lanma  aubaatp-lntaraactlon-appand  (rawrlta) 

(aqual  (aubaatp  (Intaraactlon  u  (appand  x  y) ) 

X) 

(and  (aubaatp  (Intaraactlon  u  x)  z) 

(aubaatp  (Intaraactlon  u  y)  z)))) 

(prova-lamaa  auba«itp-lntoraactlon-allnilnatlon-laninia  (rawrlta) 

(liiq>llaa  (and  (aubaatp  y  x) 

(not  (aubaatp  y  z))) 

(not  (aubaatp  (Intaraactlon  x  y)  z) ) ) 

( (uaa  (aubaatp-la-tranaltlva  (x  y)  (y  (Intaraactlon  x  y' )  (z  z))) 

(dlaabla  Intaraactlon) ) ) 

(prova-lainma  aubaetp-lntarsectlon-allminatlon  (rawrlta) 

;;  Intaraatlngly,  tba  provar  failed  to  prova  this  whan  I  used  EQUAL. 

;;  Apparently  the  IFF  causaa  a  naceaaary  case  split. 

(Impllaa  (aubsetp  y  x) 
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(iff  (aiobaatp  (intaraaction  x  y)  x) 

(aubaatp  y  a))) 

( (diaabla  Intaraaction) ) ) 

(prova-lamna  dla joint-lntaraaatlon  (rawrlta) 

(aqual  (dlajoint  (intaraaction  x  y)  x) 

(dla joint  X  (intaraaction  y  s) ) ) 

( (anabla  intaraaction) 

(diaabla  dlajoint))) 

(prova-laana  aubaatp-intaraactlon-nonotona-l  (rawrite) 

(is^liaa  (and  (aubaatp  (Intaraaction  x  y)  c) 

(aubaatp  xl  x) ) 

(aubaatp  (intaraaction  xl  y) 
s) ) 

( (anabla  dlajoint  aubaatp) ) ) 

;;  Tha  laama  3(mSBIP-INTERSSCTZ0M-M0H0X0NS-2  balow  waa  addad  during 
;;  pollablng  of  tba  final  proof  in  "ganaraliza.avanta",  ainca  tha 
;;  laana  iaiBadlataly  abova  waan't  anough  at  that  point.  Actually 
; ;  I  raallsad  at  thia  point  that  intaraaction  coanutaa  from  tha  point 
;;  of  viaw  of  aubaatp: 

(prova-laaaa  aubaatp-intaraaatlon-ooaaaitar  (rawrita) 

(agual  (aubaatp  (intaraaction  x  y)  s) 

(aubaatp  (intaraaction  y  x)  z) ) 

( (uaa  (aubaatp-wit-wltnaaaaa  (x  (intaraaction  y  x) )  (y  z)) 

(aubaatp-«lt-«itnaaaaa  (x  (intaraaction  x  y) )  (y  z) ) ) ) ) 

(prova-lanaza  atibaatp-lntaraaction-aionotona-2  (rawrlta) 

(Impliaa  (and  (aubaatp  (intaraaction  y  x)  z) 

(aubaatp  xl  x) ) 

(aubaatp  (intaraaction  xl  y) 

«))) 

(prova-laana  diajoint-intaraaotlon-cooaautar  (rawrlta) 

(agual  (dlajoint  x  (intaraaction  y  z) ) 

(dlajoint  X  (intaraaction  z  y) ) ) 

( (uaa  (diajolnt-wit-wltnaaaaa  (x  x)  (y  (Intaraaction  y  z) ) ) 

(dia joint-wlt-wltnaaaaa  (x  x)  (y  (intaraaction  z  y) ) ) ) 
(diaabla  intaraaction) ) ) 

(prova-lama  dla joint-intaraactlon3  (rawrlta) 

(liqpllaa  (dlajoint  fraa 

(intaraaction  vara  x) ) 

(agual  (intaraaction  x  (intaraaction  vara  frae)) 
nil)) 

((uaa  (diajolnt-wit-wltnaaaaa 
(x  X) 

(y  (Intaraaction  vara  fraa)))')} 

(diaabla  intaraaction) 

(provo-lanoia  manibar-aat-dlff  (rawrlta) 

(agual  (mambar  a  (aat-diff  y  z)) 

(and  (awmbar  a  y) 

(not  (manbar  a  z))))) 

(prova-lamma  aubaatp-aat-diff-l  (rawrlta) 

(aubaatp  (aat-diff  x  y)  x) ) 

(prova-lanma  dia jolntp-aat-dlff  (rawrlta) 

(dlajoint  (aat-diff  x  y)  y) } 

(prova-lanma  aubaatp-aat-diff-2  (rawrlta) 

(agual  (aubaatp  x  (aat-diff  y  z)) 

(and  (aubaatp  x  y) 

(dlajoint  X  z) ) ) 

( (anabla-thaory  aat-dafna))) 
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(prova-laau  Mt-dlff-oona  (rawritc) 

(•qual  (aat-dlff  (oona  a  x)  y) 

(If  (maaibar  a  y) 

(aat-diff  X  y) 

(cona  a  (aat-dlff  x  y))))) 

(prova-laana  aat-dlff-nllatp  (rawrlta) 

(iBipllaa  (nliatp  x) 

(aq[ual  (aat-dlff  x  y)  nil) )  ) 

;  Tha  following  waa  dlaoovarad  during  final  pollahlng,  for  tha 

;;  proof  of  iaZN-HYPS-RSI.XBVBO-6-FIItST. 

(prova-laana  dlajolnt-aat-dlff-ganaral  (rawrlta) 

(aqual  (dla joint  x  (aat-dlff  y  a)) 

(aubaatp  (Intaraaatlon  x  y)  a)) 

( (Induct  (Intaraaatlon  x  y) ) ) ) 

(prova-laana  Intaraactlon-aubaatp-ldantlty  (rawrlta) 

(lag>llaa  (and  (proparp  x) 

(aubaatp  x  y) ) 

(agual  (Intaraaotlon  x  y)  x) ) 

( (anabla  aubaatp) ) ) 

(prova-laaan  Intaraaotlon-x-x  (rawrlta) 

(l^llaa  (proparp  x) 

(aqual  (Intaraaatlon  x  x)  x) ) ) 

(prova-laana  aubaatp-aat-dlff-aiononona-2  (rawrlta) 

(aubaatp  (aat-dlff  x  (appand  y  x)) 

(aat-dlff  x  z)) 

((dlaabla  aat-dlff))) 

(prova-laoxu  aubaatp-aat-dlff-oionotona-aacond  (rawrlta) 

(aqual  (aubaatp  (aat-dlff  x  y)  (aat-dlff  x  x) ) 

(aubaatp  (Intaraaatlon  x  z)  y)) 

( (anabla  Intaraaotlon) ) ) 

(prova-looBU  aat-dlff-nll  (arawrlto) 

(aqual  (aat-dlff  x  nil) 

(flx-proparp  x) ) ) 

(prova-laana  aat-dlff-cona-non-awmbar-l  (rawrlta) 

(lo^llaa  (not  (awoibar  a  x) ) 

(aqual  (aat-dlff  x  (cona  ay)) 

(aat-dlff  X  y)))) 

(prova-laana  langth-lntaraactlon-aat-dlff  () 

(aqual  (langtb  x) 

(plua  (langtb  (aat-dlff  x  y) ) 

(langtb  (Intaraaatlon  x  y) ) ) ) 

( (onablo  aot-dlff  Intaraaatlon  langtb) ) ) 

(prova-laana  langtb-aat-dlff-opanar  (rawrlta) 

(aqual  (langtb  (aat-dlff  x  y) ) 

(dlffaranca  (langtb  x) 

(langtb  (Intaraaatlon  x  y) ) ) ) 

( (uaa  (langtb-lntaraaatlon-aat-dlff) ) ) ) 

(prova-laana  llatp-aat-dlff  (rawrlta) 

(aqual  (llatp  (aat-dlff  x  y) ) 

(not  (aubaatp  x  y) ) ) 

((anabla  aat-dlff))) 

;  Hara  la  a  maacy  laona  about  dla joint  and  such 

(prova-laana  dla jolnt-lntaraactlon-aat-dlff-lntarsaatlon  (rawrlta) 
(disjoint  X  (Intaraaotlon  y  (sat-dlCf  z  (Intaraaatlon  y  x) ) ) ) 

( (anabla  dls joint -wlt-wltnaaaas) 

(dlaabla  aat-dlff) ) ) 
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(dlaabla  sat-dlff) 

(prova-laaau  giaaft>«r-flx-prop«rp  (rawrita) 

(a<]ual  (nanbar  a  (flx-proparp  x) ) 

(aanbar  ax))) 

(prova-laBBM  aatp-appand  (xavrlta) 

(aqual  (aatp  (appand  x  y) ) 

(and  (dlajoint  x  y) 

(aatp  (£lx-pxoparp  x) ) 

(aatp  y)))) 

(prova-laaina  aatp-oona  (xawrita) 

(aqual  (aatp  (oona  ax)) 

(and  (not  (oninbar  a  x) ) 

(aatp  X) ) ) ) 

(prova-laona  aatp-nllatp  (rawxita) 

(liqpllaa  (nliatp  x) 

(aqual  (aatp  x) 

(aqual  x  nil)))) 

(dafn  aaka-aat 
(1) 

(If  (not  (llatp  1)) 
nil 

(If  (aaobar  (oar  1)  (cdt  1)) 

(aaka-aat  (cdr  1) ) 

(cona  (oar  1)  (oiaka-aat  (cdr  1)))))) 

oiaka-tat-praaarvaa-mambar 
(rawrlta) 

(aqual  (aaabar  x  (aaka-aat  1) ) 

(aaabar  x  1) ) ) 

aaka-aat -praaarvaa-aubaatp-l 
(rawrlta) 

(aqual  (aubaatp  (aaka-aat  x)  (aaka-aat  y)) 
(aubaatp  x  y))) 

aaka- aat -praaarvaa- aubaatp-2 
(rawrlta) 

(aqual  (aubaatp  x  (aaka-aat  y) ) 

(aubaatp  x  y) ) 

( (anabla  aubaatp) ) ) 

aaka-aat -proaarvaa-aubaatp-3 
(rawrlta) 

(aqual  (aubaatp  (aaka-aat  x)  y) 

(aubaatp  x  y) ) ) 

aaka- aat -glvaa- aatp 
(rawrlta) 

(aatp  (aaka-aat  x) ) ) 

aaka- aat - aat -dlff  (rawrlta) 

(aqual  (aaka-aat  (aat-dlff  x  y) ) 

(aat-dlff  (aaka-aat  x)  (aaka-aat  y) ) ) ) 

(prova-laama  aat-dlff-maka-aat  (rawrlta) 

(aqual  (aat-dlff  x  (aaka-aat  y) ) 

(aat-dlff  X  y) ) 

( (anabla  aat-dlff) ) ) 

(prova-laaaa  llatp-maka-aat  (rawrlta) 

(aqual  (llatp  (aaka-aat  x) ) 

(llatp  X))) 


(prova-laaaoa 


(prova-laoaaa 


(prova-l< 


(prova-li 


(prova-laama 


(prova-laaaa 


(dlaabla  aatp) 
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;  Xh«  following  wars  provad  in  tha  oouraa  of  tba  final  run 
; ; ; ; ;  tbrou^  tha  ganaxallsatlon  proof.  Tbara  ara  a  ooupla  or 
;;;;;;  so  notad  abova  hara,  too. 

(prova-lanma  aat-dlff-appand  (rawrlta) 

(agoal  (sat-dlff  x  (appand  y  i) ) 

(sat-diff  (sat-dlff  x  s)  y) ) 

( (Induct  (sat-dlff  x  s) ) ) ) 

(prova-laana  langth-aat-dlff-laq  (rawrlta) 

(not  (lassp  (langth  x) 

(langth  (sat-diff  x  y) ) ) ) ) 

(prova-lanna  lasap-langtb  (rawrlta) 

(liqpllas  (llstp  x) 

(lassp  0  (langth  x) ) ) 

( (anabla  langth) ) ) 

(prova-laana  llstp-intarsactlon  (rawrlta) 

(agual  (llstp  (Intarsaction  x  y) ) 

(not  (disjoint  x  y) ) ) 

( (anabla  Intarsaction) ) ) 

(prova-laaan  langth-sat-dlff-laasp  (rawrlta) 

(ia^llas  (net  (disjoint  x  naw) ) 

(lassp  (langth  (sat-dlff  x  naw) ) 

(langth  x)))) 

(prova-laana  dlsjoint-lapllaa-aaipty-lntarsactlon  (rawrlta) 

(lag>llaa  (disjoint  x  y) 

(agual  (Intarsaction  x  y)  nil) ) ) 

;;  Tha  following  lanaa  0ISJ0IMT-IMTERSECIZ0M3-MZDDLB  is  naadad  for  the 
; ;  proof  of  AUi-VAHS-DlSJOlMT-OR-SUBSSTS-Gaai-ChOSOIUt  In 
;;  ganarallaa.avants.  I  think  I  could  avoid  laanas  Ilka  this  ona  if 
; ;  INTBRSECXZOH  wara  actually  coamitatlva-assoolativa  (In  which  ease 
;;  I'd  gat  rid  of  disjoint  and  roly  on  noraallratlon) . 

;  Kayba  Z  should  rodo  tha  notion  of  disjoint  soantiaa,  parhaps  using 
;;  tha  fact  that  Intarsaction  Is  coanutatlva  and  associativa  whan  It's 
;  aquatad  with  nil . 

(prova-laana  dls joint-lntarsactlonS-odddlo  (rawrlta) 

(lag>llas  (disjoint  y  (intarsaction  x  c) ) 

(aqual  (Intarsaction  x  (intarsaction  y  z) ) 
nil)) 

( (usa  (dls jolnt-wit-wltnassos 

(X  x)  (y  (Intarsaction  y  z) ) ) ) ) ) 

(prova-laana  dls jolnt-subsatp-back  (rawrlta) 

(lng>llos  (and  (disjoint  x 

(Intarsaction  u  v) ) 

(subsatp  w  X) ) 

(disjoint  u 

(Intarsaction  w  v) ) ) 

( (usa  (dls joint -wlt-wltnoBsas 
(X  u) 

(y  (Intarsaction  w  v) ) ) 

(dls  jolnt-non-owaibar 
(a  (dlsjolnt-wlt  u  (Intarsaction  w  v)}) 

(X  X) 

(y  (Intaraactlon  u  v) ) ) 

(naoibor-  subsatp 
(X  (dlsjolnt-wlt  u 

(Intarsaction  w  v) ) ) 

(y  w) 

(*  X) ) ) 

(dlsablo  dls  joint -non-mantbar  mambar-subsatp) )  ) 


(prova-lanna  subsatp-sat-dlff-sufflclancy  (rawrlta) 
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(Inpllaa  (aubsatp  x  y) 

(aubaatp  (a«t-dlf£  x  a)  y) ) 

< (anabl*  a«t-di££) ) ) 

;;  Th«  following  loaaaa  SBIP-IKTERSECTZOM-SOFFICIEMCY  la  noodod  for 
;;  MAPPZNG-RESTRICT  froai  "aliata.ovonts”,  bocauaa  (I  bollovo) 

;;  DOMEIM-RESTRZCT,  which  waa  added  during  poliahing,  changed  the 
;;  courae  of  the  previoua  proof.  Siaiilarly  for 
;;  SETP-SET-DIFF-SUFriCIENCY  and  the  leaaaa  MAPPIMG-CO-RESTRICT . 

(prove-laana  aatp-interaaction-auffiolency  (rewrite) 

(laqpliea  (aetp  x) 

(aetp  (interaectlon  x  y) ) ) 

( (enable  interaectlon) ) ) 

(prove-leaaaa  aetp-aet-dlff-aufflclency  (rewrite) 

(lapliea  (aetp  x) 

(aetp  (aet-dlff  x  y) ) ) 

( (enable  aet-dlff) ) ) 

; ;  The  definition  of  FIX-PROPEEF  waa  alao  added  in  pollahlng  becauae 
;  of  a  problem  with  the  proof  of  GEE-CUiSURE-ACCEPT  in 
;;  "generallae.evanta*.  Here  are  a  couple  of  leamma  about  it  that 
;;  might  or  might  not  be  uaeful;  all  other  lemmaa  about  it  above,  and 
;  the  definition,  were  added  during  pollahlng. 

(dlaable  fix-proparp) 

(prove-lemam  aubaetp-flx-properp-1  (rewrite) 

(equal  (aubaetp  (flx-properp  x)  y) 

(aubaetp  x  y) ) 

( (enable  atibaetp) ) ) 

(prove-laamn  aubaetp- fix-properp-2  (rewrite) 

(equal  (aubaetp  x  (fix-properp  y)) 

(aubaetp  x  y)) 

( (enable  aubaetp) ) ) 

)) 
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THE  FILE  'alists.evenls'' 

;  Raqulraa  dafthaory  anhanoaatant . 

;;  Raquiraa  aata. 

(aatq  avanta  '  ( 

;;  Aliata,  March  1990.  Moat  of  tha  daflnltlona  and  aoaia  of  tba  1' 
;  vara  contxibutad  by  Bill  Bavlar;  tha  raat  ara  by  Matt  Kaufnann 

;;  Bunotlona  daflnad  bora: 

;  (dafthaoxy  aliat-dafaa 

(aliatp  dooialn  xanga  valua  bind  XMbind  Invaxt  mapping 
; ;  xaatxlot  co-xaatrlct) ) 

(dafn  aliatp  (x) 

(If  (llatp  X) 

(and  (llatp  (oax  x) ) 

(aliatp  (odx  x) ) ) 

(aqual  X  nil) ) ) 

(pxova-la^aa  allatp-l^pllaa-propaxp  (xaaxlta) 

(li^pllaa  (aliatp  x) 

(pxoparp  X))) 

(pxova-laana  allatp-nllatp  (xaaxlta) 

(Impllaa  (nllatp  x) 

(agual  (aliatp  x) 

(aqual  x  nil)))) 

(pxova-laana  allatp-oona  (xawrlta) 

(aqual  (aliatp  (oona  a  x) ) 

(and  (llatp  a) 

(aliatp  X)))) 

(dlaabla  aliatp) 

(pxovo-lamna  allatp-appand  (xawxita) 

(aqual  (aliatp  (appand  x  y) ) 

(and  (aliatp  (flx-pxoparp  x) )  (aliatp  y) ) ) ) 

(dafn  doaialn  (anp) 

(if  (llatp  onp) 

(If  (llatp  (ear  map) ) 

(cona  (car  (car  map) )  (domain  (cdr  map) ) ) 

(doanln  (cdx  nnp) ) ) 
nil)) 

(pxova-lamma  propaxp-dooialn  (xawxita) 

(pxopazp  (dooialn  oup) ) ) 

(prova-lanma  domaln-appond  (xawxita) 

(aqual  (dooialn  (appand  x  y) ) 

(appand  (dooialn  x)  (dooialn  y) ) ) ) 

(prova-lanma  domaln-nllatp  (xawxita) 

(lo^llaa  (nllatp  map) 

(aqual  (domain  map)  nil) ) ) 

(prova-lamma  domaln-cona  (xawrlta) 

(aqual  (domain  (cona  a  map) ) 

(If  (llatp  a) 

(oona  (car  a)  (domain  map) ) 

(domain  map) ) ) ) 

(prova-lamma  mambar-domaln-oufflclancy  (xawrlta) 

(Impllaa  (mambar  (cona  a  x)  y) 
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(aaabar  «  (domain  y) ) ) ) 

(prova-lamna  subsatp-domaln  (rawrlta) 

(lo^lloa  (subsatp  x  y) 

(subsatp  (domain  x)  (doaiain  y) ) ) ) 

(dlaablo  domain) 

(dmfn  rangm  (amp) 

(If  (llatp  map) 

(If  (llatp  (oax  map) ) 

(oona  (odr  (oar  atap) )  (rang*  (odr  map) ) ) 

(rangm  (odr  map) ) ) 
nil)) 

(provo-lamma  proparp-ranga  (rawxlta) 

(propaxp  (ranga  map))) 

(pzova-lamam  ranga-appand  (rawrlta) 

(aqual  (ranga  (appand  al  a2) ) 

(appand  (ranga  al)  (ranga  a2) ) ) ) 

(prora-laaBa  raaga-nllatp  (ramrlta) 

(lapllaa  (nllatp  amp) 

(aqoal  (ranga  nap)  nil))) 

(prova-laanm  ranga-oona  (rawrlta) 

(aguol  (ranga  (cona  a  map) ) 

(If  (llatp  a) 

(oona  (odr  a)  (ranga  amp) ) 

(ranga  map)))) 

(dlaabla  ranga) 

;;  BOOMDP  baa  )>aaa  alladnatad  In  favor  of  mamhatahlp  In  domain. 

; ;  Motloa  that  I  hava  to  tallc  a)30ut  thinga  li)ca  dia  jolntnaaa  of 
;;  domalna  anyhow.  Maw  daflnltlon  body  would  bo  (ammbar  x  (domain  map)) . 

;  (dafn  bouncy  (x  map) 

(If  (Matp  amp) 

;  (if  (llatp  (ear  map)) 

(If  (agual  x  (oaar  map) ) 

;  t 

(boundp  X  (cdr  map) ) ) 

;  (boundp  x  (cdr  amp) ) ) 

;  f)) 

(dafn  valuo  (x  amp) 

(If  (llatp  map) 

(If  (and  (llatp  (car  amp) ) 

(o<iual  X  (caar  amp) ) ) 

(cdar  map) 

(value  X  (cdr  map) ) ) 

0)) 

(prova-lanaaa  valua-nllatp  (rawrlta) 

(loplioa  (nllatp  nap) 

(agual  (value  x  amp)  0) ) ) 

(prova-loonm  valua-cona  (rawrlta) 

(aqual  (value  x  (cona  pair  amp) ) 

(If  (and  (llatp  pair) 

(aqual  x  (car  pair) ) ) 

(cdr  pair) 

(value  X  map) ) ) ) 

(dlaabla  valua) 


(dafn  bind  (x  v  amp) 
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(if  (llatp  map) 

(if  (llatp  (oar  map) ) 

(if  (o^al  X  (oaar  map) ) 

(oona  (oona  x  v)  (odr  map) ) 

(cona  (oar  map)  (bind  x  v  (odr  map) ) ) ) 

(oona  (oar  map)  (bind  x  v  (odr  atap) ) ) } 

(oona  (oona  x  v)  nil) ) ) 

(dafn  raobind  (x  map) 

(If  (llatp  map) 

(If  (llatp  (oar  map) ) 

(If  (oq;ual  x  (oaar  amp) ) 

(odr  map) 

(oona  (oar  map)  (romblnd  x  (odr  map) ) ) ) 

(oona  (oar  map)  (ramblnd  x  (odr  amp) ) ) ) 
nil)) 

(dafn  Invart  (amp) 

(if  (llatp  amp) 

(If  (llatp  (oar  map) ) 

(oona  (oona  (odr  (car  map) ) 

(oar  (oar  map))) 

(Invert  (odr  amp) ) ) 

(Invert  (odr  map) ) ) 
nil)) 

(prova-laaaaa  proparp-invart  (rewrite) 

(proparp  (invart  amp) ) ) 

(prova-lamam  invart-nllatp  (rewrite) 

(liqpllaa  (nllatp  map) 

(equal  (Invart  map)  nil) ) ) 

(prova-leamm  Invart-oona  (rewrite) 

(equal  (Invert  (oona  pair  map) ) 

(if  (llatp  pair) 

(oona  (oona  (odr  pair)  (oar  pair) ) 

(invert  map)) 

(Invart  map)))) 

(prove-lamma  valua-lnvert-not-amaibar-of-doamin  (rewrite) 
(Impllaa  (and  (amabar  q  (range  ag) ) 

(dla joint  (domain  a)  (domain  ag) ) ) 

(not  (ammbar  (value  g  (invert  eg) )  (doamin  a) ) ) ) ) 

(diaabla  Invert) 

(dafn  mapping  (map) 

;  an  allat  with  no  duplicate  kaya 
(and  (aliatp  amp) 

(aetp  (domain  amp) ) ) ) 

;;  For  when  we  diaabla  ampping; 

(prova-leamm  ampping-laqpllaa-aliatp  (rewrite) 

(impllaa  (mapping  amp) 

(aliatp  amp) ) ) 

(prova-leamm  mapping-impliaa-aatp-domaln  (rewrite) 

(laqpllaa  (ampping  amp) 

(aetp  (domain  amp) ) ) ) 

(dafn  raatrlct  (a  naw-doomln) 

(if  (llatp  a) 

(if  (and  (llatp  (car  a)) 

(member  (oaar  a)  naw-domaln) ) 

(cona  (car  a) 

(raatrlct  (edr  a)  now-domain) ) 

(raatrict  (edr  a)  naw-domain) ) 
nil)) 
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(dafn  co-M«triot  (a  naw-dooialo) 

(if  (liatp  a) 

(If  (and  (liatp  (oar  a) ) 

(not  (naobar  (eaar  a)  naw-domain) ) ) 

(oona  (oar  a) 

(oo-raatrlet  (odr  a)  naa-domaln) ) 

(oo-raatrlot  (odr  a)  naw-doattln) ) 
nil)) 

(dafthaory  aliat-dafna 

(aliatp  doautin  rango  valua  bind  raa^ind  invatt  mapping 
raatriot  oo-raatriot) ) 

; ; ; ;  aliat  laamaa 

;  IKMUK 

;  Iha  following  waa  provad  in  tha  couraa  of  tha  final  run  through 
;;  tha  ganaralixation  proof.  Actually  now  I  aaa  that 
;;  aoma  othar  laamua  ara  now  obaolata,  ao  I'll  put  thaaa  both 
;  aarly  in  tha  f ila  and  dalata  tha  othara . 

(prowa-laawui  domain-raatriet  (rawrita) 

(aqual  (domain  (raatriot  a  dom) ) 

(intaraaotion  (domain  a)  dom)) 

( (anabla  raatriot) ) ) 

(prova-lamma  domain-oo-raatriot  (rawrita) 

(aqual  (doaiain  (co-raatrict  a  dom) ) 

(aat-diff  (domain  a)  dom) ) 

( (anabla  oo-raatrlot) ) ) 

(prova-lamma  doautin-bind  (rawrita) 

(agual  (domain  (bind  x  v  map) ) 

(if  (rnamhar  x  (domain  map) ) 

(doawln  map) 

(appand  (domain  map)  (Hat  x) ) ) ) ) 

(prova-laaau  dooialn-raadbind  (rawrita) 

(aqual  (doomln  (raa^lnd  x  map) ) 

(dalata  x  (domain  map) ) ) ) 

(prova-lamma  domaln-invart  (rawrita) 

(aqual  (domain  (invart  map) ) 

(ranga  map) ) 

( (anabla-thaory  aliat-dafna) } ) 

;  MUIGB 

(prova-laamu  ranga-invart  (rawrita) 

(aqual  (rango  (invart  map) ) 

(domain  map) ) 

( (anabla-thaory  aliat-dafna) ) ) 

;  BOUND? 

(prova-lamma  boundp-bind  (rawrita) 

(aqual  (mambor  x  (domain  (bind  y  v  map) ) ) 

(or  (aqual  x  y) 

(mambar  x  (domain  map) ) ) ) ) 

(prova-lamaa  boundp-ramblnd  (rawrita) 

(In^liaa  (mapping  map) 

(aqual  (mambar  x  (domain  (rambind  y  map) ) ) 

(if  (aqual  x  y) 
f 

(mambar  x  (domain  map) ) ) ) ) ) 


(prova-lamma  boundp-aubaatp  () 
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(li^pllaa  (and  (subaatp  mapl  Btfp2) 

(aiaabar  nama  (dooialn  atapl) ) } 

(aaabar  naaia  (domain  amp2)  )  ) ) 

(prova-lamma  dla joint-domaln-alnglaton  (rawxita) 

(and  (aqual  (dla  joint  (domain  a)  (Hat  x) ) 

(not  (laaaibar  x  (doBud.n  a) ) ) ) 

(•qual  (dla joint  (Hat  x)  (domain  a) ) 

(not  (awmbar  x  (domain  a) ) ) ) ) ) 

(pxova-laaaaa  boun<^-valua-invart  (rawrlta) 

(iapllaa  (awaibar  x  (ranga  aiap) ) 

(aiambar  (valua  x  (Invart  oAp) )  (doatain  aiap) ) ) 
( (induct  (domain  amp) ) ) ) 

;  VALOB 

(prova-laana  valua-whan-not-bound  (rawrlta) 

(iapllaa  (not  (atambar  naaw  (doaialn  aiap) ) ) 

(agual  (valua  nama  map) 

0)) 

( (induct  (domain  map) ) ) ) 

(prova-laana  valua-blnd  (rawrlta) 

(agual  (valua  x  (bind  y  v  amp) ) 

(if  (agual  x  y) 

V 

(valua  X  amp) ) ) ) 

(prova-lamam  valua -rambind  (rawrlta) 

(lagillaa  (mapping  amp) 

(agual  (valua  x  (rambind  y  amp) ) 

(if  (agual  x  y) 

0 

(valua  X  amp))))) 

(prova-lamma  valua-appand  (rawrlta) 

(agual  (valua  x  (appand  si  s2) ) 

(if  (mambar  x  (doamln  si)) 

(valua  X  si) 

(valua  X  s2) ) ) ) 

(prova-lamam  valua-valua-lnvart  (rawrlta) 

(IsgiHaa  (and  (amadiar  x  (ranga  s) ) 

(mapping  s) ) 

(agual  (valua  (valua  x  (invart  s) ) 

s) 

X) ) 

{ (anabla-thaory  allst-dafns) ) ) 

;  MAPFINS 

(prova-lamma  mapplng-appand  (rawrlta) 

(agual  (mapping  (appand  si  s2) ) 

(and  (disjoint  (donmln  si)  (domain  s2) ) 

(mapping  (flx-proparp  si)) 

(mapping  s2)))) 

(disabla  mapping) 

; ;  RESTRICT  and  CO-RESTRICT 

(prova-lamma  allstp-rastrlct  (rawrlta) 

(allstp  (rastrlct  s  r) ) ) 

(prova-lamma  allstp-co-restrict  (rewrite) 

(allstp  (co-restrlct  s  r) ) ) 


(prova-lamma  valua-rastrlct  (rewrite) 
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(laplias  (and  (maadsar  a  r) 

(OMobar  a  (domain  a) ) ) 

(aqual  (valua  a  (raatxlct  or)) 
(vaiua  a  a)))) 

(prova-laama  valtM-oo-raatrlot  (rawrlta) 
(li^liaa  (and  (not  (mambar  a  r) ) 

(mambar  a  (domain  a) ) ) 

(aqual  (valua  a  (oo-raatxlct  a  r) ) 
(valua  a  a)))) 

(prova-lamma  mapplnq-raatrlet  (rawrlta) 
(Impllaa  (mapping  a) 

(mapping  (raatrlet  ax))) 

( (anabla  mapping) ) ) 

(prova-lamma  ampplng-ao-raatrict 
(Inpliaa  (mapping  a) 

(mapping  (eo-raatrlet 
( (anabla  mapping) ) ) 

(dlaabla  raatrlet) 

(dlaabla  oo-raatrlot) 

)) 


(rawrlta) 
a  X))) 
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THE  FILE  "tenns-evenu" 

;;  Raqulraa  dafthaory,  dafn-sk,  and  oonatxain  anhancmanta . 

;;  Raqulraa  aata  and  aliata  llbrariaa. 

(aatq  avanta  ' ( 

;;  Thla  la  a  library  of  avanta  about  taraa,  including  aubatitutlona. 

; ;  k  TBBMP  la  althar  a  varlabla  or  tha  application  of  a  function 
;;  ayabol  to  a  "propar  Hat"  of  tanaa.  Varlablaa  and  function  ayobola 
;;  ara  Introducad  with  COHSTKkZN. 

;;  HOTS:  Zn  functlona  Ilka  lEBMP  that  hava  a  flag,  it  aaaata  to  bo 
;;  laportant  to  uaa  T  and  F  rathar  than,  aay,  T  and  'LIST.  That' a 
;  bacauaa  otharwlao,  tha  "woraa-than"  haurlatlc  will  otharwlaa 
;  pravant  aona  nacaaaary  backchalning  In  caaaa  whara  tha  hypothaala 
;;  to  ba  raliavad  la  of  tha  fom  (TERM?  'LIST  ...)  and  an  "ancaator" 

;  la  of  tha  form  (TSKMP  T  . . . ) . 

;;  Daflnltiona: 

(dafthaory  torm-dafna 

(varlablap-lntro  varlabla-liatp  tar^  functlon-ayabol-intro  all-vara) ) 

(dafthaory  aubatltution-dafna 

(Inatanoo  var-aubatp  oonpoaa  apply-to-aubat  aubat 
; ;  nulllfy-aubat  ; ;  ratuma  a  aubatltutlon  whoaa  ranga  haa  no  varlablaa 
a  ) ) 

(conatraln  varlablap-lntro  (rawrlta) 

(and  (lapllaa  (llatp  x) 

(not  (varlablap  x) ) ) 

(or  (truap  (varlablap  x) ) 

(falaap  (varlablap  x)))) 

((varlablap  nllatp))) 

(dafn  varlabla-liatp  (x) 

(If  (llatp  X) 

(and  (varlablap  (oar  x) ) 

(varlabla-liatp  (odr  x) ) ) 

(agual  x  nil) ) ) 

(prova-laau  varlabla-liatp-lapllaa-proparp  (rawrlta) 

(lapllaa  (varlabla-liatp  x) 

(proparp  x) ) ) 

(prova-laoma  varlablo-llatp-cona  (rawrlta) 

(aqual  (varlabla-liatp  (cona  a  x) ) 

(and  (varlablap  a) 

(varlabla-liatp  x) ) ) ) 

(provo-laama  varlabla-nliatp  (rawrlta) 

(impllaa  (nllatp  x) 

(aqual  (varlabla-liatp  x) 

(aqual  x  nil) ) ) ) 

(dlaabla  varlabla-liatp) 

(conatraln  function-aymbol-lntro  (rawrlta) 

;  Ha  daalgnata  ZERO  aa  a  function  symbol 
(function-aymbol-p  (fn)) 

( (functlon-aymbol-p  lltatom) 

(fn  (lambda  ()  'zaro)))) 

(dafn  tarmp  (fig  x) 

(if  fig 

(If  (varlablap  x) 
t 
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(if  (ll«tp  X) 

(and  (funcstlon- symbol -p  (ear  x) ) 

(tazmp  f  (cdr  x))) 

t)) 

(if  (llstp  X) 

(and  {tuxmp  t  (ear  x) ) 

(tan^  f  (cdr  x) ) ) 

(equal  x  nil)))) 

(prova-lamsia  tanqp-llst-eons  (rawrita) 

(equal  (taxs^  f  (eons  a  x) ) 

(and  (taxmp  t  a) 

(tazmp  f  X)))) 

(prova-lamma  tazx^-liat-nllatp  (rawrita) 

(ia^liaa  (nlistp  x) 

(equal  (taro^  f  x) 

(equal  x  nil)))) 

(prova-laimna  tanq>-t-oons  (rawrita) 

(implies  fig 

(equal  (tan^p  fig  (eons  ax)) 

(and  (funotion-aymbol-p  a) 

(tazap  f  X))))) 

(prova-lamma  taznp-t-nllstp  (rewrite) 

(implies  (and  fig 

(not  (llstp  X))) 

(equal  (tazmp  fig  x) 

(variablap  x) ) ) ) 

(disable  tazap) 

(prova-lsmmt  tazap-list-iapllas-propazp  (rawrita) 
(Impiias  (tazap  f  x) 

(pzoparp  X)) 

( (induet  (propazp  x) ) ) ) 

(dafn  all-vars  (fig  x) 

; ;  duplieatas  are  ok 

(i«  fig 

(if  (variablap  x) 

(list  X) 

(if  (llstp  X) 

(all-vars  f  (cdr  x) ) 
nil)) 

(if  (listp  X) 

(append  (all-vars  t  (car  x) ) 

(all-vars  f  (cdr  x) ) ) 

nil) ) ) 

(prova-lamsia  propazp-all-vars  (rawrita) 

(propazp  (all-vars  fig  x) ) ) 

(prova-lamma  all-vars-list-cons  (rewrite) 

(equal  (all-vars  f  (cons  ax)) 

(append  (all-vars  t  a) 

(all-vars  f  x) ) ) 

( (enable  all-vars) } ) 

(prova-lamma  all-vars-t-cons  (rawrita) 

(Inpllas  fig 

(equal  (all-vars  fig  (cons  a  x) ) 
(all-vars  f  x) ) ) ) 

;;  Hera  is  a  hac)c  to  deal  with  the  flags. 

(prova-lamma  all-vars-subaetp-append-hac)c  (rawrita) 
(Inpllaa  (and  flgl  flg2) 
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(and  (aubaatp  (all-vara  flgl  x) 

(appand  (all-vara  flg2  x)  y) ) 

(stibaatp  (all-vara  flgl  x) 

(appand  y  (all-vara  flg2  x) ) ) ) } ) 

; ;  Tba  following  la  uaad  latar  in  tha  proof  of  MEMBER-PRESERVES-DISJOIMT-ALL-VARS 
;;  and  could  concalvably  ba  of  uaa  alaawhara. 

(prova-laama  all-vara-flg-boolaan  nil 
(la^liaa  fig 

(aqual  (all-vara  fig  x) 

(all-vara  t  x) ) ) 

( (anabla-thaory  t) ) ) 

(dlaabla  all-vara) 

(daftbaory  tarm-dafna 

(variablap-lntro  varlabla-llatp  tan^  functlon-aynbol-lntro  all-vara) ) 

;  laamaa  about  tarnqpa 

(prova-lanma  varlabla-llatp-aat-diff  (rawrlta) 

(ln^llaa  (varlabla-llatp  x) 

(varlabla-llatp  (aat-dlff  x  y))) 

( (anabla-thaory  tana-dafna) ) ) 

(prova-laana  all-vara-varlablap  (rawr  ta) 

(logillaa  (and  fig  (varlablap  x) ) 

(aqual  (all-vara  fig  x)  (Hat  x) ) ) 

((anabla-thaory  t))) 

(prova-laama  owaibar-varlabla-llatp-laipllaa-varlablap  (rawrlta) 

(lo^llaa  (and  (mambar  a  x)  (varlabla-llatp  Jt)> 

(varlablap  a) ) 

( (anabla-thaory  t) ) ) 

; ;  tha  following  waa  provad  In  tha  eouraa  of  tha  final  run  through  tha 
;;  ganar all ration  proof. 

(prova-laama  varlabla-llatp-lntaraaetlon  (rawrlta) 

(lng>llaa  (or  (varlabla-llatp  x)  (varlabla-llatp  y) ) 

(varlabla-llatp  (Intaraactlon  x  y) ) ) 

( (anabla  Intaraactlon) ) ) 

(prova-laama  tanqp-ranga-raatrlct  (rawrlta) 

(lag)llaa  (tarag>  f  (ranga  a)) 

(tanop  f  (ranga  (raatrlct  a  x) ) ) ) 

( (anabla  raatrlct) ) ) 

(prova-laama  tamg>-ranga-co-raatrlct  (rawrlta) 

(loipllaa  (tarag>  f  (ranga  a) ) 

(tarog>  f  (ranga  (co-raatrlct  a  x) ) ) ) 

((anabla  co-raatrlct))) 

(prova-lanona  omoiliar-praaarvaa-dla jolnt-all-vars-lamnia  nil 
(Impllea  (and  (dla joint  y  (all-vara  f  x) ) 

(maoibar  g  x) ) 

(dlajolnt  y  (all-vaia  t  g) ) ) 

( (Induct  (maoibar  g  x) ) ) ) 

(prova-laama  oiaaibar-praaarvaa-dla jolnt-all-vara  (rawrlta) 

(loipllaa  (and  fig 

(dlajolnt  y  (all-vara  f  x) ) 

(oiaoibar  g  x) ) 

(dlajolnt  y  (all-vara  fig  g) ) ) 

( (uaa  (oiaaibar-praaarvaa-dla  jolnt-all-vara-laimna) 

(all-vara-flg-boolaan  (x  g) ) ) ) ) 

{prova-lanuna  oiaoibar -all-vara-au.’-aatp  (rawrlta) 

(loipllaa  (and  fig 
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(inaabar  a  x) ) 

(■\ib««tp  (all-vxra  fig  x) 

(xll-vaxa  f  X) ) ) 

(  (anablx  maaibar) } ) 

(prova-lanma  xll-vara-f-aonoton«  (rawrita) 

(lopllas  (subaatp  x  y) 

(subsatp  (all-vaxa  f  x)  (all-vars  f  y) ) ) 

( (anabla  subsatp  all-vaxa) ) ) 

; ; ; ; ;  substitutions :  daf initiona 

(dafn  var-aubatp  (s) 

(and  (Slapping  s) 

(variabla-listp  (domain  s) ) 

(tarop  f  (ranga  s) ) ) ) 

(dafn  subat  (fig  s  x) 

;  works  for  othar  than  var-aubstp' s 
(if  fig 

(if  (awabar  x  (doaiain  s) } 

(valua  X  a) 

(if  (variablap  x) 

X 

(if  (liatp  X) 

(oons  (car  x) 

(subat  f  a  (cdr  x) ) ) 

; ;  iapoasibla  valua  of  f  for  non-tars^ 

C))) 

(if  (liatp  X) 

(cons  (subat  t  s  (car  x) ) 

(subat  f  a  (cdr  x) ) ) 

nil))) 

(dafn  apply-to-subst  (al  s2) 

; ;  apply  si  to  aaeh  tara  in  ranga  of  m2 
(if  (liatp  s2) 

(if  (liatp  (oar  s2) ) 

(cons  (cons  (caar  s2)  (subat  t  si  (odar  s2) ) ) 
(apply-to-subst  al  (cdr  s2) ) ) 

(apply-to-subst  si  (cdr  s2))) 
nil)) 

(dafn  cosposa  (si  s2) 

; ;  raprasants  tha  rasult  of  applying  si  and  than  s2 
(appand  (apply-to-subst  s2  si) 
s2)) 

;  Latar  wa  may  wish  to  prova  corractnass  of  ona-way-unify 
(dafn-sk  inatanca  (fig  tarml  tarai2) 

;  tarad  is  an  inatanca  of  tarm2 
(axists  ona-way-unifiar 

(and  (var-substp  ona-way-unifiar) 

(agual  tarad  (subat  fig  ona-way-unifiar  tarni2) )  ) ) ) 

;  sTibatitution  lasmas 

(prova-lasBsa  subst-list-cons  (rawrita) 

(agual  (subat  f  a  (cons  ax)) 

(cons  (subat  t  s  a) 

(subst  f  s  x) ) ) ) 

(prova-lamma  subst-list-nlistp  (rawrita) 

(inplias  (nlistp  x) 

(agual  (subst  fax)  nil))) 

(prova-lamma  subst-t-variablap  (rawrita) 

(implias  (and  fig 

(variablap  x) ) 
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(•qpial  (aubst  fig  ■  x) 

(if  (owsibar  x  (domain  a) ) 

(valua  X  a) 

X)))) 

(prova-laamM  aubat-t-non-varlablap  (rawrlta) 

(In^llaa  fig 

(aqual  (aubat  fig  a  (aona  fn  x) ) 

(If  (mai^r  (cona  fn  x)  (domain  a) ) 

(valua  (aona  fn  x)  a) 

(oona  fn  (aubat  f  a  x) ) ) ) ) 

( (anabla  aubat) ) ) 

(prova-lamma  all-vaxa-aubat-lamma  (rawrlta) 

(la^liaa  (and  fig 

(mambar  x  (domain  a) ) ) 

(aubaatp  (all-vara  fig  (valua  x  a) ) 

(all-vara  f  (ranga  a) ) ) ) 

; ;  hint  naadad  for  Induction 
( (anabla  ranga) ) ) 

(prova-lamma  all-vara-aubat  (rawrlta) 

(Impliaa  (tan^  fig  x) 

(aubaatp  (all-vara  fig  (aubat  fig  a  x) ) 

(appand  (all-vara  fig  x) 

(all-vara  f  (ranga  a) ) ) ) ) 

( (anabla  tamp) ) ) 

(prova-lamma  aubat-occur  (rawrlta) 

(iiapllaa  (and  fig 

(mambar  x  (domain  a) ) ) 

(agual  (aubat  fig  a  x) 

(valua  X  a) ) ) ) 

(prova-laaoM  boundp-ln-var-aubatp-lopllaa-varlablap  (rawrlta) 
(inpllaa  (and  (variabla-llatp  (domain  a) ) 

(not  (varlablap  a) ) ) 

(not  (mambar  a  (doomln  a)))) 

( (induct  (doamln  a) ) ) ) 

(prova-loamm  varlablap-valua-lnvart  (rawrlta) 

(lapllaa  (and  (variabla-llatp  (domain  a) ) 

(mambar  x  (ranga  a) ) ) 

(varlablap  (valua  x  (invart  a) ) ) ) 

( (Induct  (ranga  a) ) ) ) 

(prova-laaua  aubat-lnvart  (rawrlta) 

(lopllaa  (and  (tarmp  fig  x) 

(dla joint  (domain  a)  (all-vara  fig  x) ) 

(var-aubatp  a)) 

(agual  (aubat  fig  a  (aubat  fig  (invart  a)  x) ) 

X)) 

( (anabla  tamp) ) ) 

(prova-lamma  domaln-apply-to-aubat  (rawrlta) 

(agual  (domain  (apply-to-aubat  al  a2) ) 

(domain  a2) } ) 

(prova-lamma  allatp-apply-to-aubat  (rawrlta) 

(allatp  (apply-to-aubat  al  a2))) 

(prova-lamma  mapplng-apply-to-aubat  (rawrlta) 

(Inpllaa  (mapping  a) 

(mapping  (apply-to-aubat  al  a))) 

( (anabla  mapping) ) ) 

;;  Lammaa  Ilka  tha  following  ahouldn't  ba  nacaaaary  if  congruenca 
;  ralatlona  (aa  auggaatad  by  Blahop  Brock)  ara  Implamanted. 
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(prova-lanna  subst-flg-not-llat  (rawrita) 

(in^llas  fig 

(and  (agual  (agual  (subat  fig  a  x) 

(aubat  tax)) 
t) 

(aqual  (agual  (aubat  tax) 

(aubat  fig  a  x) ) 

t)))) 

(pxova-laaana  aubat-ao-raatrlct  (rawrita) 

(lapllaa  (and  (dlajolnt  x 

(Intaraactlott  (domain  a)  (all-vara  fig  tarm) ) ) 
(varlabla-liatp  (doataln  a) ) 

(taxsp  fig  taxm) ) 

(aqual  (aubat  fig  (co-raatrict  a  x)  tarm) 

(aubat  fig  a  taxm) ) ) ) 

(prova-lamma  aubat-raatriot  (rawrita) 

(ia^liaa  (and  (aubaatp  (intaraaction  (domain  a)  (all-vara  fig  tarm) ) 

X) 

(varlabla-liatp  (domain  a) ) 

(tarmp  fig  tarm) ) 

(aqual  (aubat  fig  (raatriot  a  x)  taxm) 

(aubat  fig  a  taxm) ) ) ) 

(prova-lamma  taxop-valua  (rawrita) 

(lapllaa  (and  fig 

(ammbar  x  (domain  a) ) 

(tarmp  f  (ranga  a) ) ) 

(tamqp  fig  (valua  x  a))) 

( (anabla  taxop) 

(induct  (valua  x  a) ) ) ) 

(prova-lamma  tanap-aubat  (rawrita) 

(l^pllaa  (and  (tarmp  fig  x) 

(tan^p  f  (ranga  a) ) ) 

(tariqp  fig  (aubat  fig  ax))) 

( (anabla  turmp) ) ) 

(prova-lamma  tanq>-domain  (rawrita) 

(iag>liaa  (varlabla-liatp  (domain  a) ) 

(taxng)  f  (domain  a) ) ) 

( (anabla  tang)) 

(Induct  (domain  a)))) 

(prova-loaaaa  var-aubatp-apply-to-aubat  (rawrita) 

(lapllaa  (and  (tajnqp  f  (ranga  a) ) 

(tarmp  f  (ranga  ag) ) ) 

(tarmp  f  (ranga  (apply-to-aubat  ag  a) ) ) ) 

( (anabla  tamgi) ) ) 

(prova-laana  valua-apply-to-aubat  (rawrita) 

(Impllaa  (mambar  g  (domain  a)) 

(aqual  (valua  g  (apply-to-aubat  ag  a) ) 

(aubat  t  ag  (valua  g  a))))) 

(prova-lamma  non-varlablap-not-mambar-of-varlabla-liatp  (rawrita) 
(liig>liaa  (and  (varlabla-liatp  d) 

(not  (varlablap  tarm) ) ) 

(not  (mambar  tarm  d) ) ) 

( (induct  (mambar  tarm  d) ) ) ) 

(prova-lamma  compoaa-proparty-ravaraad  (rawrita) 

(Impliaa  (and  (varlabla-liatp  (domain  a2)) 

(tarmp  fig  x) ) 

(aqual  (aubat  fig  (compoaa  al  a2)  x) 

(aubat  fig  a2  (aubat  fig  al  x) ) ) ) 

( (anabla  tarmp) ) ) 
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(prova-laoBM  oon^sa-proparty 
(xawrlta) 

(iiqpliaa  (and  (variabla-llatp  (domain  ■2>) 
(tors^  fig  X) ) 

(aqual  (aubat  fig  m2  (subat  fig  al  x) ) 
(aubat  fig  {ooapomm  al  a2)  x) ) ) 
( (dlaabla  ooaipoaa) ) ) 

(dlaabla  coa^aa-proparty-ravaraad) 

(prova-laau  aubat -not -oeour  (rawrlta) 

(liqpliaa  (and  (taxap  fig  x) 

(vaxlabla-liatp  (domain  a) ) 

(dla joint  (doaialn  a)  (all -vara  fig  x) ) ) 
(•qual  (aubat  fig  ax)  x) ) 

( (onablo  tazsg)) ) ) 

(provo-lamma  dlajolnt-ranga-lag>llaa-dla jolnt-valua  (rawrlta) 
(liqpllaa  (and  (mambar  x  (domain  a) ) 
fig 

(dla joint  z  (all-vara  f  (ranga  a) ) ) ) 
(dlajolnt  z  (all-vara  fig  (valua  x  a) ) ) ) 

( (uaa  (aubaatp-dla joint-2 

(X  (all-vara  fig  (valua  x  a))) 

(y  (all-vara  f  (ranga  a) ) ) 

(a  a))))) 

(prova-laazaa  dla jolnt-all-vara-aubat  (rawrlta) 

(iiqpllaa  (and  (tariig>  fig  x) 

(dlajolnt  a  (all-vara  fig  x) ) 

(dlajolnt  z  (all-vara  f  (ranga  a) ) ) ) 
(dlajolnt  a  (all-vara  fig  (aubat  fig  a  x) ) ) ) 

( (anabla  tarBg>) ) ) 

(provo-lamma  all-vara-varlabla-llatp  (rawrlta) 

(lo^llaa  (varlabla-llatp  x) 

(ogual  (all-vara  f  x) 

*)) 

( (Induct  (varlabla-llatp  x) ) ) ) 

(provo-loana  variabla-llatp-appand  (rawrlta) 

(agual  (varlabla-llatp  (append  x  y) ) 

(and  (varlabla-llatp  (flx-proparp  x) ) 
(varlabla-llatp  y) ) ) 

((Induct  (domain  a)))) 

(prova-lamma  tarmp-llat-appand  (rawrlta) 

(agual  (tormp  f  (append  x  y) ) 

(and  (tarmp  f  (flx-proparp  x) ) 

(tormp  f  y) ) ) 

( (Induct  (ranga  a) ) ) ) 

(provo-lamma  apply-to-aubat-appand  (rawrlta) 

(agual  (apply-to-aubat  ag  (append  al  a2) ) 

(append  (apply-to-aubat  ag  al) 

(apply-to-aubat  ag  a2) ) ) ) 

(prova-lamma  aubat-apply-to-aubat  (rawrlta) 

(Impliaa  (and  fig 

(mambar  g  (domain  a) ) ) 

(agual  (aubat  fig  (apply-to-aubat  ag  a)  g) 

(aubat  fig  ag  (value  g  a))))) 

(prova-lamma  aubat-appand-not-occur-1  (rawrlta) 

(impliaa  (and  (tam^  fig  x) 

(varlabla-llatp  (domain  al) ) 

(dlajolnt  (all-vara  f  (domain  al)) 

(all-vara  fig  x) ) ) 

(ogual  (aubat  fig  (append  al  a2)  x) 
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(■ubat  fig  *2  x) ) ) 

( (Induct  (aubat  fig  a2  x) ) ) ) 

(prova-lanma  aubat-app«nd-not-occur-2  (rawrita) 

(Inpiiaa  (and  (tatag>  fig  x) 

(vaxlabla-llatp  (domain  a2) ) 

(dla joint  (all-vara  f  (domain  m2) ) 

(all-vara  fig  x) ) } 

(aqual  (aubat  fig  (appand  al  a2)  x) 

(aubat  fig  al  x) ) ) 

((induct  (aubat  fig  a2  x)))) 

(pzova-lamaut  apply-to-aubat-ia-no-op-foc-diajoint-domain  (rawrita) 

(i^liaa  (and  (variabla-liatp  (doaiain  al) ) 

(aliatp  a2) 

(tarmp  f  (ranga  a2) ) 

(diajoint  (domain  al)  (all-vara  f  (ranga  a2) ) ) ) 

(agual  (apply-to-aubat  al  a2) 

•3))) 

(prova-lamau  mambar-aubat  (rawrita) 

(impllaa  (and  fig  (aiambar  ax)) 

(mambar  (aubat  fig  a  a) 

(aubat  f  a  x) ) ) 

( (anabla  ammbar) ) ) 

(prova-laama  aubaatp-aubat  (rawrita) 

(liqpllaa  (aubaatp  x  y) 

(aubaatp  (aubat  fax) 

(aubat  f  a  y) ) ) 

( (anabla  aubaatp) ) ) 

(diaabla  Inatanca) 

; ; ;  (diaabla  coaqpoaa)  --  CMPOSB  ia  laft  anablad  for  uaa  with  COMPOSB-PROPBRTY 
(diaabla  apply-to-aubat) 

(diaabla  axibat) 

(diaabla  rambind) 

(diaabla  bind) 

;;;;;  nulllfy-aubat:  a  aubatltutlon  that  baa  a  ranga  containing 
no  varlablaa 

(dafn  nulllfy-aubat  (a) 

(if  (liatp  a) 

(if  (liatp  (car  a)) 

(cona  (cona  (caar  a)  (Hat  (fn) ) ) 

(nulllfy-aubat  (cdr  a) ) ) 

(nulllfy-aubat  (cdr  a) ) ) 
nil)) 

(prova-lamma  proparp-nulllfy-aubat  (rawrita) 

(proparp  (nulllfy-aubat  a) ) ) 

(prova-lanma  all-vara-f-ranga-nullify-aubat  (rawrita) 

(aqual  (all-vara  f  (ranga  (nulllfy-aubat  a))) 
nil)) 

(prova-lanma  tamg>-ranga-nulllfy-aubat  (rawrita) 

(tamg)  f  (ranga  (nulllfy-aubat  a)))) 

(prova-lanma  domaln-nulllfy-aubat  (rawrita) 

(aqual  (domain  (nullify-aubst  a)) 

(domain  a) ) ) 

(prova-lamma  mapping-nulllfy-xubst  (rawrita) 

(impllaa  (aliatp  a) 

(aqual  (mapping  (nulllfy-aubat  a) ) 

(mapping  a) ) ) 

( (anabla  mapping) ) ) 
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(prov«-l«iHu  dia joint-all-vara-aubat-nullify-aiibat  (rawrlta) 

(io^liaa  (tar^p  fig  tam) 

(diajolnt  (domain  ag) 

(all-vara  fig 

(aubat  fig  (nulllfy-aubat  ag)  tarm) ) ) ) 

( (anabla  aubat) 

(dlaabla  nulllfy-aubat) ) ) 

(prova-lamma  dla jolnt-all-vara-ranga-apply-aubat-nulllfy-aubat  (rawrlta) 
(l^pllaa  (tanqp  f  (ranga  a) ) 

(diajolnt  (domain  ag) 

(all-vara  f 

(ranga  (apply-to- aubat  (nulllfy-aubat  ag)  a) ) ) ) ) 

( (anabla  apply-to-aubat) 

(dlaabla  nulllfy-aubat) ) ) 

(dlaabla  nulllfy-aubat) 

(dafthaory  aubatltutlon-dafna 

(Inatanoa  var-aubatp  oo^oaa  apply-to-aubat  aubat  nulllfy-aubat) ) 

)) 
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THE  FILE  "genenlize.evtaiu'' 

(Mtq  •▼•nts  '  ( 

;  Raqpiiraa  Mta,  allata,  and  tana,  whloh  howavar  ourrantly  contain  a 
;;  aaatomg  of  rulaa  that  aran't  raally  naadad  hara,  avan  indlraotly. 

;  Thla  ia  a  proof  aoundnaaa  of  a  alight  abatraction  of  tha  CBMERALIZB 
;  ooanand  of  PC-HQTBM. 

;;;  Bara' a  what  I  want  to  prova. 

;  (ia^liaa  (and  (ganaralisa-oJcp  ag  atata) 

(valid-atata  (ganaralisa  ag  atata) ) ) 

(valid-atata  atata) ) 

;;;  Z  alao  prova  tha  auch  aiag>lar  fact,  SBMBKALZZB-SXhTBP: 

(ia^liaa  (ganaralica-okp  ag  atata) 

(atatap  (ganaralisa  ag  atata) ) ) 


;;  «  1  » 

(conatraln  tbaoraat-lntro  (rawrlta) 

(and  (iapliaa  (and  (thaoraa  x) 

«lg) 

(tar^  fig  x) ) 

(iapliaa  (and  (thaoram  x) 
fig 

(var-aubatp  a) ) 

(thaoraa  (aubat  fig  a  x) ) ) ) 

( (thaoram  (lambda  (x)  f ) ) ) ) 

;;  «  2  » 

(dafn  tbaoraa-liat  (x) 

(if  (llatp  X) 

(and  (thaoraa  (ear  x) ) 

(thaoraa-liat  (cdr  x) ) ) 

(aqual  x  nil) ) ) 

;;  «  3  » 

(prova-laaaa  thaoraa-llat-propartiaa  (rawrlta) 
(and  (iapliaa  (thaoraa-liat  x) 

(tara^  f  x) ) 

(iapliaa  (and  (thaoraa-liat  x) 
(var-aubatp  a) ) 

(thaoraa-liat  (aubat  f  a  x) ) ) ) ) 


;;  «  4  » 

(dafn  atatap  (atata) 

(and  (llatp  atata) 

(tani^  f  (car  atata) ) 

(variabla-llatp  (cdr  atata) ) ) ) 

;;  «  5  » 

(dafn-ak  valid-atata  (atata) 

(and  (atatap  atata) 

(axiata  wltnaaalng-lnatantlation 

(and  (var-aubatp  wltnaaaing-lnatantlatlon) 

(aubaatp  (domain  witnaaaing-lnstantiatlon)  (cdr  atata)) 
(thaoraa-liat  (aubat  f  witnaaaing-lnatantlation  (car  atata) )))))) 


; ;  «  6  » 

(dafn  naw-gan-vara  (goala  fraa  vara) 

(if  (liatp  goala) 

(lot  ( (currant -fraa-vara  (Intaraaction  fraa  (all-vara  t  (car  goala))))) 
(if  (diajolnt  currant -fraa-vara  vara) 

(naw-gan-vara  (cdr  goala)  fraa  vara) 

(appand  currant -fraa-vara 
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(naw-gan-vara  (cdc  goals)  fraa  vara) ) ) ) 

nil)) 

;;  «  7  » 

(dafn  oardlnallty  (x) 

(langth  <malca-sat  x) ) ) 

;;  Maxt  goal:  got  ttaa  daflnltlon  of  CBX-CLOSOKR  accaptad.  In  fact, 

;  tho  loana  GEM-CliOSOBE-ACCEPT  balow  suffloaa,  talcing  MEW  to  ba 
;;  (HSN-SBN-VERS  SQbLS  TBBB  FRES-V»S-SO-nil) ,  as  long  as  «a  prova  tha 
;;  following  lamna,  HBM-OBM-VlUtS-SOBSST . 

;;  «  8  » 

(provo-laasta  naw-gon-vara-subaat  (rawrlta) 

(subsotp  (naw-gon-vaxs  goals  fraa  vars) 

<raa)) 

; ;  It  la  Intorosting  to  nota  that  tha  axaot  form  of  tha  following 
;  laana  changad  whlla  polishing  tha  proof,  sinca  rawrlta  rulas 
;  appllad  to  tha  old  varaion  so  as  to  sMka  It  Irralavant . 

;;  «  9  » 

(provo-loana  gan-oloaura-aoaapt  (rawrlta) 

(l^llos  (and  (not  (subaatp  naw  fraa-vars-so-far) ) 

(subaatp  naw  fraa)) 

(laaap  (dlfforanco  (dlffaranca  (langth  (malca-sat  fraa) ) 

(langth  (Intarsactlon  (maba-sat  fraa) 

fraa-vars-so-far) ) ) 

(langth  (Intarsactlon  (aat-dlff  (maba-aat  fraa) 

fraa-vars-so-far) 

naw) ) ) 

(dlffaranca  (langth  (aaka-sat  fraa) ) 

(langth  (intarsactlon  (malca-sat  fraa) 

fraa-vars-so-far) ) ) ) ) ) 

;;  Bara  X  hava  a  eholca;  I  could  Intarsact  tha  accumulator  with  fraa 
;  at  tha  and,  or  I  could  assuaa  that  It' s  intarsactad  with  fraa 
; ;  bafora  it's  Input.  I'll  choosa  tha  forstar  approach,  so  that  I'll 
;  hava  a  sisqplar  rawrlta  rula  and  so  that  X  can  call  gan-closura  mora 
;;  slsg>ly.  I  may  wish  to  comouta  tha  arguawnts  to  intarsactlon  in  tha 
; ;  axlt  balow,  but  probably  that  won't  uttar  bacausa  I'll  only  ba 
; ;  talking  about  naadMrship. 

; ;  «  10  » 

(dafn  gan-closura  (goals  fraa  fraa-vars-so-far) 

; ;  Ratums  tha  goals  with  varlablas  among  tha  closura  of  tha  vars  of 
; ;  goals-so-far  undar  tha  ''occurs  In  tha  sama  goal  as''  ralatlon, 

; ;  rastrlctad  to  fraa. 

(lat  ( (naw-fraa-vars  (naw-gan-vars  goals  fraa  fraa-vars-so-far))) 

(If  (subaatp  naw-fraa-vars  fraa-vars-so-far) 

(Intarsactlon  fraa-vars-so-far  fraa) 

(gan-closura  goals  fraa  (appand  naw-fraa-vars  fraa-vars-so-far) ) ) ) 

( (lassp  (cardinality  (aat-dlff  fraa  fraa-vars-so-far))))) 

;;  «  11  » 

(dafn  ganarallza-okp  (sg  stata) 

(and  (var-aiobstp  sg) 

(statap  stata) 

(disjoint  (domain  sg) 

(all-vars  f  (ear  stata) ) ) 

(llstp  (car  stata) ) 

(disjoint  (doamln  sg)  (cdr  stata)))) 

; ;  «  12  » 

(dafn  ganaraliza  (sg  stata) 

(lat  ( (g  (caar  stata) ) 

(p  (cdar  stata) ) 

(fraa  (cdr  stata))) 

(lat  ( (naw-g  (subst  t  (Invart  sg)  g) ) ) 
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(lat  ( (douin-1 

(g«n-oloaux«  (aons  n«w-g  p) 
fr«« 

(«ll-vara  t  iMM-g) ) ) ) 

(lat  ( (naw-fraa 

(aat-difC  frM 

(Intaraactlon  <loaaln-l  (all-vara  t  <rang«  ag> ))))) 
(oona  (oona  naw-g  p) 
amm-tz—) ))))) 

;;  Bara  la  a  fact,  not  naadad  alaawbaxa,  that  la  worth  noticing.  In 
;  caaa  wo  wlah  to  axtand  tho  main  thaoraa  to  a  aaquanca  of 
;  FC-MQTHM-llka  coBBUUida . 

;;  «  13  » 

(prova-lamia  gonarallza-atatap  nil 
(lapllaa  (ganarallxa-okp  ag  atata) 

(atatap  (ganarallza  ag  atata) ) ) ) 


;;  «  14  » 

(dafn  gon-lnat  (ag  atata) 

(lat  ( (a  (wltnaaalng-lnatantlatlon  (ganarallza  ag  atata) ) ) 

(g  (caar  atata) ) 

(p  (odar  atata) ) 

(fraa  (odr  atata))) 

(lat  ( (naw-g  (aubat  t  (Invart  ag)  g) ) ) 

(lat  ( (domaln-1  (gan-cloaura  (oona  naw-g  p) 

(odr  atata) 

(all-vara  t  naw-g) ) ) ) 

(lat  ( (al  (roatrlct  a  donaln-1) ) 

(m2  (apply-to-aubat 

(nulllfy-aubat  ag) 

(co-raatrlct  a  domaln-1) ) ) ) 

(apply-to-aubat 
(apply-to-aubat  b2  ag) 

(appand  al  a2))))))) 

;;  Lat 'a  aaa  that  It  aufflcaa  to  prova  tha  raault  of  opanlng  up  tho 
;;  conclualon  of  tha  aialn  thooram  with  a  particular  wltnaaa. 


(add-axloa  maln-thaoraa-1  (rawrlta) 

(lat  (  (wit  (gon-lnat  ag  atata) ) ) 

(lag>llaa  (and  (ganorallza-okp  ag  atata) 

(valld-atata  (ganarallza  ag  atata) ) ) 

(and  (atatap  atata) 

(var-aubatp  wit) 

(aubaotp  (domain  wit)  (cdr  atata)) 
(thooram-llat  (aubat  f  wit  (car  atata))))))) 

(provo-lamma  ganarallza-la-corract  (rawrlta) 

(lapllaa  (and  (ganarallza-okp  ag  atata) 

(valld-atata  (ganarallza  ag  atata) ) ) 
(valld-atata  atata) ) 

( (dlaabla-thaory  t) 

(anabla-thaory  ground-zaro) 

(anabla  maln-thaoram-1) 

(uaa  (valld-atata 

(wltnaaalng-lnatantlatlon  (gan-lnat  ag  atata) ) ) ) ) ) 


;;  So,  It  aufflcaa  to  prova  maln-thaorom-l .  Tha  flrat  thraa  conjuncta 
;;  of  tho  conclualon  aro  gulta  trivial. 

; ;  «  15  » 

(prova-lamma  aialn-thaoram-l-caaa-l  (rawrlta) 

(Impllaa  (ganarallza-okp  ag  atata) 

(atatap  atata) ) ) 
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;  W«  put  on*  diraotlon  of  tho  daflnltlon  of  volld-atoto  horo,  for 
;;  •ffloianey  In  proofs. 

;;  «  16  » 

(provs-lsiBBS  vslld-ststs-opsnsr  (rawrits) 

(squsl  (vslid-ststa  ststa) 

(and  (statap  atata) 

(lat  ( (witnaaalng-inatantlation  (vitnaaaing-instantiatlon  atata) } ) 

(and  (var-aubatp  wltnasalng-inatantlatlon) 

(aubaatp  (domain  witnasalng-inatantlation)  (cdr  atata) ) 
(thaoram-llat  (aubat  f  witnaaaing-inatantlatlon  (car  atata) )))))) 

( (dlaabla-thaory  t) 

(anabla-thaory  ground-saro) 

(uaa  (valld-atata  (wltnasalng-lnatantiatlon  (wltnaaslng-inatantlation  atata) ) ) ) ) ) 

;;  «  n  » 

(prova-lanma  maln-thaoram-l-aaaa-2  (raarlta) 

(lat  ( (wit  (gan-inat  ag  atata) ) ) 

(iag>lias  (and  (ganaraliza-okp  ag  atata) 

(valid-atata  (ganaralisa  ag  atata) ) ) 

(var-aubatp  wit) ) ) 

( (diaabla  ganaralisa) ) ) 

;;  «  IS  » 

(prova-lamma  aubaatp-odr-ganaralisa  (rawrita) 

(aubaatp  (odr  (ganaralisa  ag  atata) )  (cdr  atata) ) ) 

; ;  At  this  point  I  had  to  prova  SCBSETP-SBT-DIFF-SDFFICIEMCY  bacausa 
;  of  soam  lamma  that  waa  craatad  during  tha  polishing  procass 
; ;  (parhapa  DOMAXN-RESTRICI) . 

;;  «  19  » 

(prova-lamma  amin-thaoram-l-oasa-3  (rawrita) 

(lat  ( (wit  (gan-inat  ag  atata) ) ) 

(iagilias  (valid-atata  (ganaralisa  ag  atata)) 

(aubaatp  (domain  wit)  (cdr  atata) ) ) ) 

( (diaabla  ganaralisa) ) ) 

; ;  So  now  wa  only  bava  to  prova  MA1N-THB0REM-1-CA5E-4  (wrlttan  hara 
; ;  without  uaa  of  LET) ; 


(add-axiom  maln-thaoram-l-caso-4  (rawrita) 

(laqpllas  (and  (ganaraliza-okp  ag  atata) 

(valid-atata  (ganaralisa  ag  atata) ) ) 

(thaoram-list  (aubat  f  (gan-inat  ag  atata)  (car  atata))))) 


(prova-lamaw  main-thaoram-l  (rawrita) 

(lat  ((wit  (gan-inat  ag  atata))) 

(liqplias  (and  (ganarallza-okp  ag  stats) 

(valid-atata  (ganaralisa  ag  atata))) 

(and  (atatap  atata) 

(var-aubatp  wit) 

(aubaatp  (domain  wit)  (cdr  atata)) 
(thaoram-list  (aubat  f  wit  (car  atata) ) ) ) ) ) 
( (diaabla-thaory  t) 

(anabla-thaory  ground-saro) 

(anabla  maln-thaoram-l-caaa-l  main-thaoram-l-casa-2 

maln-thooram-l-casa-3  maln-thaoram-l-caaa-4) ) ) 


;;  «  20  » 

(dafn  gan-aattlng-subatltutiona  (al  a2  ag) 
(and  (var-aubatp  al) 

(var-aubatp  a2) 

(var-aubatp  ag) 

(dla joint  (domain  al)  (domain  ag) ) 
(disjoint  (domain  a2)  (domain  ag) ) 
(disjoint  (all-vars  f  (ranga  ag) ) 
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(domain  al) ) 

(dla joint  (all-vara  f  (rang*  m2) )  (domain  sg) ) ) ) 

;;  «  21  » 

(dafn  maln-taypa  (al  a2  ag  g  p) 

(and  (tanqp  t  g) 

(disjoint  (all-vaxs  t  g)  (domain  sg) ) 

(tosiqp  f  p) 

(disjoint  (all-vara  f  p)  (domain  ag) ) 
(gan-a«tting-aubstltutlona  al  s2  sg) 

(thoosam-liat  (subat  t  (appond  al  s2) 

(oona  (aubst  t  (Invart  sg)  g)  p) ) ) ) ) 

;;  Tb*  goal  atmva,  lOIM-THBORZM-l-C&SB-l,  should  follow  from  tha 
;;  following  two  lonmuis. 


(add-axiom  maln-hyps-aufflca  (rowrito) 

(inpllos  (and  (llatp  goals) 

(smln-hypa  al  s2  ag  (oar  goals)  (cdr  goals) ) ) 

(thaorsm-llst  (subat  f 

(apply-to-subat  (apply-to-subst  s2  sg) 
(appand  si  s2) ) 

goals) ) ) ) 

(add-axlom  maln-hyps-raliavad  (rawrlta) 

(lat  ( (g  (oaax  stata) ) 

(p  (edas  stata) ) 

(fraa  (cdr  stata) ) 

(s  (wltnaaalng-instantlatlon  (ganarallza  sg  stata) ) ) ) 

(lat  ( (naw-g  (subat  t  (Invart  sg)  g) ) ) 

(lat  ( (domaln-1 

(gan-olosura  (oons  naw-g  p)  fraa  (all-vars  t  naw-g) ) ) ) 

(lat  ( (si  (raatrlct  s  domaln-1) ) 

(a2  (apply-to-subst  (aulllfy-aubst  sg) 

(ao-rastrlet  s  domaln-1) ) ) ) 

(lag>iias  (and  (ganarallxa-okp  sg  stata) 

(valid-stata  (ganarallza  sg  stata) ) ) 

(maln-byps  si  s2  sg  g  p) ) ) ) ) ) ) 

(prova-lamma  maln-thaoram-l-aasa-4  (rawrlta) 

(Implias  (and  (ganaralizs-okp  sg  stata) 

(valid-stata  (ganarallza  sg  stata) ) ) 

(thaoram-liat  (subst  f  (gan-lnst  sg  stata)  (car  stata) ) ) ) 

( (dlsabla-thaory  t) 

(anabla-tbaory  ground-zaro) 

(anabla  gan-lnst  sialn-hyps-suffica  ganerallza-okp  maln-hyps-raliavad) ) ) 


;;  So,  now  lot  us  start  with  MUM-HYFS-SDFFICE.  It  should  follow  from 
; ;  two  subgoals,  as  shown: 


(add-axlom 

(implias 


maln-byps-sufflca-flrst  (rawrlta) 

(main-hyps  si  s2  sg  g  p) 

(thaoram  (subst  t 

(apply-to-subst  (apply-to-subst 
(appond  si  s2) ) 


g)))) 


s2 


»g) 


(add-axiom  maln-hyps-sufflca-rost  (rawrlta) 
(in^llaa  (main-hyps  si  s2  sg  g  p) 
(thooram-list  (subst  f 

(apply-to-subst 

P>))) 


(apply-to-subst  s2  •g> 
(append  si  s2) ) 


(prova-lamma  maln-hyps-sufflca  (rawrlta) 
(implias  (and  (llstp  goals) 
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(oain-hypa  al  m2  mq  (ear  goals) 
(tbaoroat-llst  (subat  t 

(apply-to-aubst 


goals) ) ) 


(odr  goals) ) ) 

(apply-to-subst  s2  sg) 
(appsnd  si  s2)) 


( (dlaablo-tbaory  t) 

(anabla-tbaoty  ground-saro) 

(onabla  tbsoraB-llat  subst  uin-byps-suf£lea-£irst  aialn-byps-sufflca-rast) ) ) 


;;  Consldar  tba  first  of  tbosa.  bltbougb  COMPOSB-PROPBRTT  is 
;;  usad  In  tba  proof  (bacausa  it's  anablad) ,  it's  actually  not 
;;  naoaasary.  A  proof  took  slightly  ovar  10  sdnutas  with  tba  rula 
; ;  anablad,  and  roughly  9  minutaa  without;  at  laast  this  was  tba 
; ;  oasa  at  ona  point  during  tba  proof  davalopmant . 


;;  «  22  » 


(prova-laawuL  main-hypa-suffiea-firat-laana-ganaral  nil 
(iiapllos  (and  (taraip  fig  g) 

(disjoint  (all-vara  fig  g)  (doaain  sg) ) 
(gan-aatting-aubstitutlons  al  s2  sg) 

(aqual  ag-1  (invart  sg) ) ) 

(aqual  (subst  fig 

(apply-to- subat  (apply-to-subat  s2  sg) 
(appand  si  s2) ) 


9) 

(subat  fig  (apply-to-subst  s2  sg) 
(subat  fig  (a^and  al  a2) 

(subst  fig  sg-1  g) ) ) ) ) 

( (Induct  (subst  fig  sg-1  g) ) ) ) 


;;  «  23  » 

(prova-laasna  main-hyps-sufflca-flrst-lasma  (rswrita) 

(iaqplias  (and  (tara^  t  g) 

(disjoint  (all -vara  t  g)  (domain  sg)) 
(gan-satting-substitutions  si  s2  sg) ) 

(agual  (subst  t 

(apply-to-subst  (apply-to-subst  t2  sg) 
(appand  si  s2) ) 


9) 

(subst  t  (apply-to-subst  t2  sg) 

(subst  t  (appand  si  s2) 

(subst  t  (invart  sg)  g) ) ) ) ) 

( (uaa  (main-hyps-suffica-first-lamsia-ganaral  (fig  t)  (sg-l  (invart  sg) ) ) ) 
(disabla-tbaory  t) 

(anabla-thaory  ground-taro) ) ) 


;;  «  24  » 


(prova-lanma  main-hyps-suffica-flrst  (rawrita) 

(iiqplias  (oain-bypa  si  s2  sg  g  p) 

(thaorao  (subst  t 

(apply-to-subst  (apply-to-subst  s2  sg) 
( appand  si  m2) ) 


g))) 

;  Disabling  conposa-proparty  is  nacassaty  so  that  tha  fact 
;  that  thaoramhood  is  Inbaritad  upon  substitution  is  usad.  Disabling 
;  APPLY-TO-SOBST-APPEND  is  nacassary  so  that 

;  MAZN-HYPS-SOFFICB-FIRST-LEMMA  is  usad  (a  Knuth-Bandix  sort  of 
;  problam) . 

( (disabla  cos^sa-proparty  apply-to-subst-appand) ) ) 


;;  Tha  following  is  usaful  with  a  *  (appand  si  s2) . 


;;  «  25  » 

(prova-lanaa  main-hyps-suffica-rast-lasana  (rawrita) 
(io^lias  (and  (tarmp  fig  p) 

(variabla-llstp  (domain  sg) ) 

(disjoint  (all-vars  fig  p)  (domain  sg) ) ) 
(aqual  (subst  fig 
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(apply-to-aubst  (apply-to-subat 

•) 


P) 

(BUbat  fig 

(apply-to-aubat  b2  ag) 
<BUbat  fig  a  p))))) 


b2  ag) 


;;  «  26  » 


(prova-laama  a»in-bypa-auffiaa-raat  (rawrlta) 

(Ijapllaa  (main-hypa  al  a2  ag  g  p) 

(tb«OE«m-llat  (aubat  f 

(apply-to-BUbat  (apply-to-aubat  a2  ag) 
(appand  al  b2)) 


P))) 

;;  If  I  don't  dlaabla  oongMaa-proparty  I  gat  an  inflnita  loop 
;;  in  tha  rawritar,  it  aaama. 

( (dlaabla  apply-to-aubat-appand  eoo^aa-proparty) ) ) 


;;  «  27  » 

(prova-laama  maln-hypa-aufflca  (rawrlta) 

(li^pllaa  (and  (llatp  goala) 

(■aln-hypa  al  a2  ag  (oar  goala)  (edx  goala) ) ) 

(ttaaoraa-llat  (aubat  f 

(apply-to-aubat  (apply-to-aubat  b2  ag) 

(appand  al  a2) ) 

goala) ) ) 

( (dlaabla-thaoxy  t) 

(anabla-thaoxy  ground-zaro) 

(anabla  thaoram-llat  aubat  Bialn-bypa-aufflca-flrat  maln-hypa-aufflca-raat) ) ) 


;;  I'll  dlaabla  tba  two  laamaa  uaad  abova  ao  that  I  avoid  tba  poaalblllty 
; ;  of  looping  wltb  aompoaa-proparty. 


;;  «  28  » 

(dlaabla  aialn-hypa-aufflca-flrat-laama) 

;;  «  29  » 

(dlaabla  maln-bypa-aufflea-raat-lamna) 

;;  All  that  raaalna  now  la  to  prova  NAIH-BYPS-RKIjIZVEO  .  If  wa  opan  up 
;;  MAIH-BYPS  wa  aaa  wbat  tba  naoaaaacy  aubgoala  ara.  Kacall  tba 
;;  daflnltlon  of  MAIM-HYFS; 


(dafn  maln-hypa  (al  a2  ag  g  p) 

(and  (tannp  t  g) 

(dla joint  (all-vara  t  g)  (domain  ag) ) 

(tanp  f  p) 

(dla joint  (all-vara  f  p)  (domain  ag) ) 
(gan-aattlng-Bubatltutlona  al  a2  ag) 

(tbaoram-llat  (aubat  f  (appand  al  b2) 

(cona  (aubat  t  (Invart  ag)  g)  p) ) ) ) ) 


; ;  «  30  » 

(prova-lanma  maln-bypa-rallavad-l  (rawrlta) 

(lat  ( (g  (caar  atata) ) ) 

(iB^llaa  (ganarallza-okp  ag  atata) 

(tamp  t  g) ) ) ) 

; ;  «  31  » 

(prova-lamma  maln-bypa-rallavad-2  (rawrlta) 

(lat  ( (g  (caar  atata))) 

(Inpllaa  (ganarallza-o)cp  ag  atata) 

(dla joint  (all-vara  t  g)  (domain  ag) ) ) ) ) 


; ;  «  32  » 

(prova-lamma  main-hypa-raliavad-3  (rawrlta) 
(lat  ( (p  (cdar  atata))) 

(Impllaa  (ganarallza-o]ip  ag  atata) 
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(taziq>  f  p)))) 


;;  «  33  » 

(prova-laama  maln-bypa-r«ll*vad-4  (rawrlta) 

(lat  ( (p  (cdar  atata) ) ) 

(In^llaa  (ganarallza-okp  ag  atata) 

(di.a  joint  (all-vaza  f  p)  (domain  ag) ) ) ) ) 


(add-axiom  main-hypa-rallavad-5  (rawrita) 

(lat  ( (g  (oaar  atata) ) 

(p  (cdar  atata) ) 

(fzaa  (cdr  atata)) 

(a  (witnaaaing-inatantiation  (ganaraliza  ag  atata) ) ) ) 

(lat  ( (naw-g  (aubat  t  (Invart  ag)  g))) 

(lat  ( (domaln-1 

(gan-cloaura  (oona  na«-g  p)  fraa  (all-vara  t  naw-g)))) 

(lat  ((al  (raatrict  a  domaln-1)) 

(a2  (apply-to-aubat  (nulllfy-aubat  ag) 

(eo-raatrict  a  domain-1)))) 

(izgillaa  (and  (ganazaliza-olcp  ag  atata) 

(valid-atata  (ganaraliza  ag  atata) ) ) 
(gan-aatting-aubatltutlona  al  a2  ag) )))))) 

(add-axiom  maln-hypa-raliavad-6  (rawrita) 

(lat  ( (g  (caar  atata) ) 

(p  (cdar  atata) ) 

(fraa  (cdr  atata) ) 

(a  (wltnaaalng-lnatantiation  (ganaraliza  ag  atata)))) 

(lat  ( (naw-g  (aubat  t  (Invart  ag)  g) ) ) 

(lat  ( (domaln-1 

(gan-cloaura  (cona  naw-g  p)  fraa  (all-vara  t  naw-g) ) ) ) 

(lat  ( (al  (raatrict  a  domain-l) ) 

(a2  (apply-to-aubat  (nulllfy-aubat  ag) 

(co-raatriet  a  domain-1) ) ) ) 

(iaqpllaa  (and  (ganaraliza-olcp  ag  atata) 

(valid-atata  (ganaraliza  ag  atata) ) ) 

(tbaoram-liat  (aubat  f  (appand  al  a2) 

(cona  (aubat  t  (Invart  ag)  g)  p) ))))))) ) 

(prova-laama  maln-bypa-rallavad  (rawrita) 

(lat  ( (g  (caar  atata) ) 

(p  (cdar  atata) ) 

(fraa  (cdr  atata)) 

(a  (wltnaaalng-lnatantiation  (genarallza  ag  atata) ) ) ) 

(lat  ((naw-g  (aubat  t  (invart  ag)  g) ) ) 

(lat  ( (domaln-1 

(gan-cloaura  (cona  naw-g  p)  fraa  (all-vara  t  naw-g) ) ) ) 

(lat  ( (al  (raatrict  a  domain-l)) 

(a2  (apply-to-aubat  (nullify-aubat  ag) 

(eo-raatrict  a  domain-l)))) 

(impllaa  (and  (ganoraliza-o)cp  ag  atata) 

(valid-atata  (ganaraliza  ag  atata) ) ) 

(maln-hypa  al  a2  ag  g  p) ) ) ) ) ) 

( (dlaabla-thaory  t) 

(enabla-thaory  ground-zaro) 

(anabla  maln-bypa  main-hypa-rallavad-1  inain-hypa-raliavad-2 
main-hypa-raliavad-3  main-bypa-rali#vod-4 
0iain-bypa-raliavad-S  main-hypa-raliavod-S) ) ) 


So,  it  ramalna  to  prova  tha  goala  MkIN-HY7S -RELIEVED -5  and 
MAIN-HYPS-RELlEVED-6.  Lat  ua  start  with  tha  first.  Opaning  up 
SEM-SETTING'SUBSTITUTIONS  glvas  us  a  numbar  of  subgoals. 

Tha  casa  for  tha  first  two  conjuncts  of  GEN-SETTING-SUBSTITUTIONS 
do  not  raqulra  knowledga  about  DOMAIN-1  (or  G,  P,  FREE,  or  NEW-G) , 
but  simply  follow  from  tha  validity  of  tha  stata  (GENERALIZE  SG 
STATE) .  Disabling  GENERALIZE  is  vary  usaful  for  tha  first  of  thasa 


generalize.events 


82 


;;  (probably  not  naoasaaty,  though  I  didn't  lot  tha  provor  run  long 
; ;  anough  to  find  out  for  aura) . 

;;  «  34  » 

(prova-laana  main-hypa-raliavad-S-lamma-l  (rawrita) 

(lat  ((a  (witnaaaing-inatantiation  (ganaraliza  ag  atata)))) 

(lat  ( (al  (raatrict  a  domain-1) ) 

(a2  (apply-to-aubat  (nullify-aubat  sg) 

(co-raatrict  a  doaiain-l )  )  )  ) 

(ia^liaa  (valid-atata  (ganaraliza  ag  atata) ) 

(and  (var-aubatp  al) 

(var-aubatp  a2))))) 

( (dlaabla  ganaraliza) ) ) 

;  Tha  naxt  caaa  ia  trivial . 

;;  «  35  » 

(prova-lamoia  maln-hypa-rallavad-S-lanina-2  (rawrita) 

(Impllaa  (ganarallza-okp  ag  atata) 

(var-aubatp  ag) ) ) 

;  Vor  tha  naxt  two  con junota  of  OSN-SSTTZMS-SOBSTITUTIOMS  wo  firat 
;  obaarvo  that  (DOMhZN  S)  la  dla joint  from  (DOMhlM  SG) ,  and  than  wa 
;;  uao  SUBSBTP-OISJOZNT-3  whara  X  ia  tha  domain  of  SI  or  S2,  Y  la  tha 
; ;  douln  of  S,  and  Z  la  tha  domain  of  SG: 

;;  (ZHPLZBS  (AND  (SDBSETP  X  Y)  (DISJOINT  Z  Y) ) 

;;  (DISJOINT  X  Z)) 


;;  «  36  » 

(prova-lamma  wltnaaaing-lnatantiation-ia-diajolnt-from-ganaralizing-aubatitutlon  nil 
(lat  ((a  (witnaaaing-inatantiation  (ganaraliza  ag  atata)))) 

(iag>liaa  (and  (ganaraliza-okp  ag  atata) 

(valid-atata  (ganaraliza  ag  atata) ) ) 

(dla  joint  (doBiain  a)  (doaunin  ag) ) ) ) ) 

;;  Bara  wa  abatraot  away  DOMAIN-1  (and  hanoa  G,  P,  FBZB,  and  NEH-G) . 

; ;  Inoldantally,  a  aiad.lar  phanomon^n  oocurrod  hara  to  tha  ona 
; ;  raportad  juat  abova  tha  atatamant  abovo  of  NAIN-THEORBM-l-CASE-3 : 

;;  final  poliablng  roaultad  in  tha  naad  for  anotbar  laoaa.  That  oxtra 
;;  lamma  ia  DISJOINT-SKT-Dirr-SUFTICIBNCY  in  thia  oaao,  to  ba  found  in 
" aata . ovanta" . 

;;  «  37  » 

(prova-lamma  maln-hypa-rollovad-S-lamma-3  (rawrita) 

(lat  ( (a  (witnaaaing-inatantiation  (ganaraliza  ag  state) ) ) ) 

(lat  ( (al  (raatrict  a  domaln-1) ) 

(s2  (apply-to-subst  (nullify-aubat  ag) 

(co-raatrict  a  domain-1)))) 

(lo^llas  (and  (ganarallza-okp  ag  atata) 

(valid-atata  (ganaraliza  ag  state) ) ) 

(and  (disjoint  (domain  al)  (domain  sg) ) 

(disjoint  (doaialn  m2)  (domain  sg) ) ) ) ) ) 

( (uao  (witnasslng-lnatantlatlon-is-dlsjolnt-from-ganarallzlng-substltution) ) 
(disabla  ganoraliza-okp  valld-stato-opanar  ganaraliza) ) ) 

;  Tha  lamma  MAIN-HYFS-RELIEVED-5-LEMMA-4-HIT  is  true  because  tha 
;  dooialn  of  a  is  contained  in  tha  free  variables  of  the  genarallzad 
;;  state  (by  choice,  l.a.  definition,  of  MITNESSINC-INSTANTIATZON) , 

;;  which  is  disjoint  from  tha  Intorsoctlon  of  the  indicated 
; ;  GEN-C1X3SURE  with  tha  variables  in  tha  range  of  sg.  I'll  usa  a 
; ;  trick  that  I  laamad  from  Kan  Kunan  (definable  Skolam  function  ia 
; ;  all,  raally)  to  raduca  dlsjolntnass  considerations  to  meinbacshlp 
; ;  consldarationa. 

; ;  «  38  » 

(prova-lamma  main-hyp8-relloved-5-lamroa-4-wit  (rewrite) 

(lat  ( (g  (caar  state)) 

(p  (cdar  state) ) 

(fraa  (cdr  state)) 
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(■  (wttnasalng-lnatantiatlon  (ganarallxa  ag  atata) ) ) ) 

(lat  ( (naw-g  (aubat  t  (Invart  ag)  g) ) ) 

(lat  ( (doauln-1 

(gan-cloaura  (cona  naw-g  p)  fraa  <all-vara  t  naw-g) ) ) ) 
(lat  ( (al  (raatrlot  a  domaln-l) ) ) 

(iiqpllaa  (and  (ganarallza-okp  ag  atata) 

(valld-atata  (ganaraliza  ag  atata) ) 

(Btaadbar  wit  (all-vara  t  (ranga  ag) ) ) 

(aanbar  wit  (domain  a) ) ) 

(not  (manbar  wit  domaln-l) )))))) 

( (dlaabla  gan-cloaura  aubat  Invart  all-vara  raatrlet) ) ) 

;;  «  39  » 

(prova-laama  maln-hypa-rallavad-5-lamau-4  (rawrlta) 

(lat  ( (g  (caar  atata) ) 

(p  (cdar  atata) ) 

(fraa  (cdr  atata) ) 

(a  (wltnaaalng-lnatantlatlon  (ganaraliza  ag  atata) ) ) ) 

(lat  ( (naw-g  (aubat  t  (Invart  ag)  g) ) ) 

(lat  ( (domaln-l 

(gan-cloaura  (cona  naw-g  p)  fraa  (all-vara  t  naw-g) ) ) ) 
(lat  ( (al  (raatrlot  a  domaln-l) ) ) 

(lapllaa  (and  (ganarallza-okp  ag  atata) 

(valld-atata  (ganaraliza  ag  atata) ) ) 

(dla joint  (all-vara  f  (ranga  ag) ) 

(domain  al))))))) 

( (dlaabla-thaory  t) 

(anabla-thaozy  ground-zaro) 

(anabla  doaialn-raatrlct  mambar-lntaraactlon 

dlajolnt-wlt-wltnaaaaa  aialn-hypa-rallavad-5-lamma-4-*flt) ) ) 


;;  «  40  » 

(prova-laama  auiln-bypa-rallavad-5-lamma-5  (rawrlta) 

(lat  ( (g  (caar  atata) ) 

(p  (cdar  atata)) 

(fraa  (cdr  atata)) 

(a  (wltnaaalng-lnatantlatlon  (ganaraliza  ag  atata) ) ) ) 

(lat  ( (naw-g  (aubat  t  (Invart  ag)  g) ) ) 

(lat  ( (domaln-l 

(gen-oloaura  (cona  naw-g  p)  fraa  (all-vara  t  naw-g) ) ) ) 
(lat  ( (a2  (apply-to- aubat  (nulllfy-aubat  ag) 

(co-raatrlot  a  domaln-l)))) 
(lag>llaa  (and  (ganarallza-okp  ag  atata) 

(valld-atata  (ganaraliza  ag  atata) ) ) 

(dla joint  (all-vara  f  (ranga  a2)) 

(domain  ag) ))))))) 


; ;  «  41  » 

(prova-lamma  maln-bypa-rallavad-S  (rawrlta) 

(lat  ( (g  (caar  atata) ) 

(p  (cdar  atata) ) 

(fraa  (cdr  atata)) 

(a  (wltnaaalng-lnatantlatlon  (ganaraliza  ag  atata) ) ) ) 

(lat  ((naw-g  (aubat  t  (Invert  ag)  g) ) ) 

(lat  ( (domaln-l 

(gan-cloaura  (cona  naw-g  p)  fraa  (all-vara  t  naw-g) ) ) ) 

(lat  ( (al  (raatrlet  a  domaln-l)) 

(a2  (apply-to-aubat  (nulllfy-aubat  ag) 

(co-raatrlct  a  domaln-l) ) ) ) 

(Impllaa  (and  (ganarallza-okp  ag  atata) 

(valld-atata  (ganaraliza  ag  atata) ) ) 
(gan-aattlng-aubatltutlona  al  a2  ag) ) ) ) ) ) 
((dlaabla-thaory  t) 

(anabla-tbaory  ground-zaro) 

(anabla  gan-aattlng-aubatltutlona 

maln-hypa-rollevad-S-lanBna-l  maln-hypB-relleved-5-lainma-2 
maln-hypa-rallavad-5-lanBna-3 

maln-hypB-rallavad-S-laiTiina-4  maln-hyps-rellaved-5-lemma-5)  )  ) 
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Now  wa  bagln  tha  ramalnlng  goal,  MlXN-BYPS-HZLIEVED-e.  Tha  Idaa  la 
to  show  that  tha  apprcprlata  goal  Hat  la  a  thaoram-llat  by  ahowlng 
aaparataly  that  tha  flrat  and  tha  raat  ara  thaoraaa,  alnca  tha 
raaaona  ara  allghtly  dlffarant.  Tha  FIRST  la  a  thaoram  bacauaa  Ita 
Traa  vara  ara  all  In  doaialn-1,  hanca  In  tha  domain  of  al;  ao,  a2 
can  ba  droppad  from  tha  APPEND.  Tha  REST  all  hava  tha  proparty 
that  thalr  fraa  vara  ara  contalnad  In  or  dla joint  from  domaln-1, 
and  for  tboaa  dlajolnt  from  It,  thay  do  not  contain  varlablaa  from 
tha  domain  of  ag.  Notlca  that  tha  naw  currant  (FIRST)  goal  may 
vlolata  tha  lattar  raqulramant,  alnca  It  may  hava  no  fraa  vara  at 
all  but  contain  vara  from  tha  doaialn  of  ag.  That' a  why  wa  hava  to 
aiaka  a  apaclal  caaa  out  of  It. 


(add-axlom  maln-bypa-rallavad-6-flrat  (rawrlta) 

(lat  ( (g  (caar  atata) ) 

(p  (cdar  atata) ) 

(fraa  (cdr  atata) ) 

(a  (wltnaaalng-lnatantlatlon  (ganarallza  ag  atata) ) ) ) 

(lat  ( (naw-g  (aubat  t  (Invart  ag)  g) ) ) 

(lat  ( (domaln-1 

(gan-cloaura  (cona  naw-g  p)  fraa  (all-vara  t  naw-g) ) ) ) 

(lat  ( (al  (raatrlct  a  doaiala-l) ) 

(a2  (apply-to-aubat  (nulllfy-aubat  ag) 

(co-raatrlct  a  doaialn-l) ) ) ) 

(Iqpllaa  (and  (ganarallsa-okp  ag  atata) 

(valld-atata  (ganarallza  ag  atata) ) ) 

(thaoram  (aubat  t  (appand  al  a2) 
naw-g) ))))))) 

(add-axlom  uln-hypa-rallavad-6-raat  (rawrlta) 

(lat  ( (g  (caar  atata) ) 

(p  (cdar  atata) ) 

(fraa  (cdr  atata) ) 

(a  (wltnaaalng-lnatantlatlon  (ganarallza  ag  atata)))) 

(lat  ((naw-g  (aubat  t  (Invart  ag)  g))) 

(lat  ( (domaln-1 

(gan-cloaura  (cona  naw-g  p)  fraa  (all-vara  t  naw-g) ) ) ) 

(lat  ((al  (raatrlct  a  doaialn-l)) 

(a2  (apply-to-aubat  (nulllfy-aubat  ag) 

(co-raatrlct  a  domaln-1)))) 

(la^lltia  (and  (ganarallza-oJcp  ag  atata) 

(valld-atata  (ganarallza  ag  atata) ) ) 

(thaoram-llat  (aubat  f  (appand  al  a2)  p) )))))) ) 

(prova-lamma  maln-bypa-rallavad-6  (rawrlta) 

(lat  ( (g  (caar  atata)) 

(p  (cdar  atata) ) 

(fraa  (cdr  atata) ) 

(a  (wltnaaalng-lnatantlatlon  (ganarallza  ag  atata) ) ) ) 

(lat  ((naw-g  (aubat  t  (Invart  ag)  g) ) ) 

(lat  ((domaln-1 

(gan-cloaura  (cona  naw-g  p)  fraa  (all-vara  t  naw-g) ) ) ) 

(lat  ((al  (raatrlct  a  domaln-1)) 

(a2  (apply-to-aubat  (nulllfy-aubat  ag) 

(co-raatrlct  a  domain-I) ) ) ) 

(Impllaa  (and  (ganerallza-okp  ag  atata) 

(valld-atata  (ganarallza  ag  atata) ) ) 

(thaoram-llat  (aubat  f  (appand  al  a2) 

(cona  (aubat  t  (Invart  ag)  g)  p) )))))) ) 

( (dlaabla-thaory  t) 

(anabla-thaory  ground-zaro) 

(anabla  maln-hypa-rallavod-6-flrat  maln-hypa-rallavad-6-raat 
aubat  thaoram-llat))) 


Tha  flrat  la  trua  bacauaa  tha  fraa  vara  In  naw-g  ara  all  In  tha 
domain  of  al,  alnca  thay  ara  all  In  domaln-1.  By  tha  way,  tha 
proof-chackar  waa  uaaful  hara;  I  dova  to  tha  aubat  tarm  (after 
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;;  adding  abbravlatlona  and  promoting  bypothaaas)  and  aaw  that  Z 
; ;  wantad  to  rawrlta  with  SUBST-AFPEMD-NOI-OCCOR-Z .  I  alao  notion  tha 
;;  naad  for  QEN-CZiOSDKS-CONT&lMS-TBZRD-ARG  during  tha  attang>t  to  prova 
; ;  a  goal . 

; ;  Flrat ,  wa  only  want  to  opan  up  GSNEKALIZS  whan  wa  ara  looking  at 
;  goals,  not  whan  wa  ara  sla^ly  asking  about  tha  wltnasslng 
;;  substitution.  I  ballava  that  this  apaads  up  tha  proofs 
;;  oonsldarably. 

;;  «  42  » 

(prova-lamM  oar-ganarallsa  (rawrlta) 

(aqual  (car  (ganarallsa  ag  stata) ) 

(cons  (subst  t  (Invart  sg)  (oaar  stata) ) 

(cdar  stata) ) ) ) 


;;  «  43  » 

(dlsabla  ganarallsa) 

; ;  Znspactlon  of  tha  proof  of  a  subgoal  of  MAIN-Hyps-RELIEVED-6-FIRSI 
; ;  suggaata  that  wa  naad  tha  following  lamoa.  Actually,  bafora  tha 
;  final  pollahlng  It  was  tha  casa  that  tha  following  varslon  suf flcad. 
;  But  final  pollahlng  lad  aa  to  prova  a  '  'battar' '  varslon,  as  wall 
;;  aa  tha  lamaa  DZSJOIMT-SST-DZFF-aZMBBAL  In  ‘•sats-avants” . 


(prova-lamsa  gan-closura-oontalns-thlrd-arg  (rawrlta) 
(la^llaa  (subaatp  dootaln  fraa) 

(aubaatp  (Intarsactlon  domain  vars) 

(gan-cloaura  goals  fraa  vara) ) } ) 


;;  «  44  » 

(prova-laaaa  gan-closum-contalns-thlrd-arg  (rawrlta) 
(la^llas  (subsatp  x  (Intarsactlon  fraa  vars)) 
(subaatp  x 

(gan-closura  goals  fraa  vars) ) ) ) 


;;  «  45  » 

(prova-lamma  iaaln-hyps~rallavad-4-flrst  (rawrlta) 

(lat  ( (g  (caar  stata) ) 

(p  (cdar  stata) ) 

(fraa  (cdr  stata)) 

(s  (wltnasslng-lnstantlatlon  (ganarallza  sg  stata)))) 

(lat  ( (naw-g  (subst  t  (Invart  sg)  g) ) ) 

(lat  ( (domaln-1 

(gan-closura  (cons  naw-g  p)  fraa  (all-vars  t  naw-g) ) ) ) 
(lat  ((si  (rastrlct  s  domaln-l) ) 

(s2  (apply-to-subst  (nulllfy-subst  sg) 

(co-rastrlct  s  domaln-l)))) 

(Impllas  (and  (ganarallza-okp  sg  stata) 

(valld-stata  (ganarallza  sg  stata) ) ) 

(thaoram  (subst  t  (appand  si  s2)  naw-g)))))))) 

;;  Now  wa  ambark  on  tha  final  goal,  MAIN-HYPS-RELIEVED-e-REST .  Tha 
; ;  Idaa  Is  that  ona  splits  tha  wltnasslng  substitution  s  Into  two 
; ;  approprlata  parts,  si  and  a2.  Thasa  parts  ara  tha  raspactlva 
; ;  rastrlctlon  and  (approxlmataly)  co-rastrlctlon  of  tha  original 
;;  wltnasslng  siobstltutlon  s  to  soma  sat  that  Is  ' 'closad' '  In  tha 
; ;  approprlata  sansa.  Actually,  tha  co-rastrlctlon  Is  allowad  to  hava 
;;  a  substitution  appllad  to  It,  whosa  domain  Is  disjoint  from  tha 
; ;  varlablas  occurring  In  goals  ' 'outslda' '  that  closura.  Balow  wa 
;  glva  tha  lammas  and  tha  proof  of  MAIM-HYP5-RELIEVED-6  from  thosa 
;;  lammas.  But  first  1st  us  Introduce  tha  nacasaary  notions. 

;;  «  46  » 

(dafn  all-vars-dls jolnt-or-subaatp  (p  fraa  x) 

;;  says  that  avary  goals's  fraa  varlablas  ara  alther  contained 
; ;  In  X  or  ara  disjoint  from  x 
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(if  (ii«tp  p) 

(and  (or  (subaatp  (intarsactidn  fro*  (ail-vara  t  (car  p) ) ) 

*) 

(dlajolnt  (intaraactlon  fraa  (all-vara  t  (car  p) ) ) 

X)) 

(all-vara-dia joint-or-aubaatp  (cdr  p)  fraa  x) ) 
t)) 

;;  Our  plan  will  ba  to  ahow  that  (CDAR  ST&IK) ,  l.a.  p,  haa  tha  abova 
;  proparty  with  raapact  to  tha  fraa  varlablaa  of  tha  ganarallzad 
;;  atata  and  tha  approprlata  gan-cloaura.  In  caaaa  whara  ona  appliaa 
;;  a  aubatltutlon  of  tha  form  (appand  al  a2)  to  auch  a  liat  of  goala, 

;  whara  tha  dooain  of  al  la  contalnad  in  tha  intaraactlon  of  tboaa 
;  fraa  varlablaa  with  that  cloaura  and  tha  domain  of  a2  la  dlajolnt 
;  from  that  intaraactlon,  wa  axpaet  that  tha  raault  la  a  thaoram-liat 
;;  if  aach  of  tha  following  ara  thaoram-llata:  apply  al  to  tha  goala 
;  whoaa  vara  intaraact  ita  domain,  and  apply  a2  to  tha  raat . 

;;  Raductlon  rulaa  about  applying  raatrlotlona  ate.  will  than  flnlah 
;;  tha  job. 

; ;  Notlca  tha  aladlarlty  of  tha  following  daf Inition  with  naw-gan-vara . 

;;  Think  of  vara  aa  tha  cloaura  varlablaa,  and  fraa  aa  tha  fraa  varlabla 
;  aat  within  which  thla  all  *  'takaa  placa' ' . 

;;  «  47  » 

(dafn  goala-dla jolnt-from-vara  (goala  fraa  vara) 

(if  (llatp  goala) 

(lat  ( (currant -fraa-vara  (Intaraactlon  fraa  (all-vara  t  (car  goala))))) 
(If  (dlajolnt  ourrant-fraa-vara  vara) 

(cona  (car  goala) 

(goala-dlajolnt-from-vara  (cdr  goala)  fraa  vara)) 
(goala-dlajolnt-from-vara  (cdr  goala)  fraa  vara) ) ) 

nil)) 

;;  Mow  all  that  ramalna  la  MUZM-HTPS-HSlISVED-t-KSST.  1  originally 
; ;  forgot  tha  (TERMP  F  F)  hypothaala  of 

;;  MAIN-ayFS-RELIEVEO-6-ItSST-CENEIULIZATION  balow,  but  it  waan’t  vary 
; ;  bard  to  back  up  and  fix  thla . 


(add-axiom  maln-bypa-rallavod-6-roat-ganarallzatlon  (rawrlta) 

(lat  ( (al  (raatrlct  a  domaln-1)) 

(a2  (apply-to-atibat  (nullify-aubat  ag) 

(co-raatrlct  a  domaln-1)))) 

(lng>llaa  (and  (var-aubatp  ag) 

(var-aubatp  a) 

(aubaatp  (domain  a)  naw-fraa) 

(tarmp  f  p) 

(thaoram-liat  (aubat  f  a  p) ) 

(dlajolnt  (domain  ag) 

(all-vara  f  (goala-dlajolnt-from-vara 
p  naw-fraa  domaln-1))) 

(all-vara-dlajoint-or-aubaatp  p  naw-fraa  domaln-1) ) 
(thaoram-liat  (aubat  f  (appand  al  a2)  p) ) ) ) ) 

(add-axlom  maln-hypa-rallavad-6-raat-lamma-l  (rawrlta) 

(lat  ( (g  (caar  atata) ) 

(p  (edar  atata) ) 

(fraa  (cdr  atata)) 

(a  (wltnaaalng-lnatantlatlon  (ganarallza  ag  atata)))) 

(lat  ( (naw-g  (aidiat  t  (Invart  ag)  g) ) ) 

(lat  ( (domaln-1 

(gan-cloaura  (cona  naw-g  p)  fraa  (all-vara  t  new-g) ) ) ) 
(lat  ((al  (raatrlct  a  domain-1)) 

(a2  (apply-to-aubat  (nulllfy-subst  ag) 

(co-raatrict  a  domain-1)))) 

(Impllaa  (and  (ganaraliza-okp  ag  atata) 

(valld-atata  (ganarallza  ag  atata))) 

(dlajolnt  (doBiain  ag) 
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(all-vara  t  (goala-dls jolnt-£roa-v>rs 

p  (cdr  (ganarallza  mg  mtmtm) ) 
domaln-1) )))))))) 

;;  Minor  not*:  Z  uaod  tha  BKEAX-Ii2MM&  faatur*  of  KQTRM  to  raallca 
;  that  I  naadad  tha  following  laoaM. 

(add-axioffl  aain-hypa-rallavad-CTaat-laana-Z  (rawrita) 

(lat  ( (g  (caar  atata) ) 

(p  (odar  atata) ) 

(fraa  (odr  atata) ) 

(a  (wltnaaalng-lnatantlation  (ganarallaa  ag  atata) ) ) ) 

(lat  ( (naw-g  (aubat  t  (Invart  ag)  g) ) ) 

(lat  ( (dOBMln-l 

(gan-aloaura  (oona  naw-g  p)  fraa  (all-vara  t  naw-g) ) ) ) 

(lat  ((al  (raatrlot  a  domain-1)) 

(a2  (apply-to-aubat  (nullify- aubat  ag) 

(oo-raatriot  a  domaln-1) ) ) ) 

(lapliaa  (and  (ganaraliza-okp  ag  atata) 

(valid-atata  (ganaraliza  ag  atata) > ) 
(all-vara-dlajoint-or-aubaatp  p  (cdr  (ganaiallza  ag  atata) ) 

domain-1) )))))) 


(prova-laaaa  maln-hypa-rollawod-6-raat  (rawrita) 

(lat  ( (g  (oaar  atata) ) 

(p  (odar  atata) ) 

(fraa  (cdr  atata) ) 

(a  (witnaaalng-lnatantlatlon  (ganaraliza  ag  atata) ) ) ) 

(lat  ( (naw-g  (aubat  t  (invart  ag)  g) ) ) 

(lat  ( (domaln-1 

(gan-cloaura  (cona  naw-g  p)  fraa  (all-vara  t  naw-g) ) ) ) 

(lat  ( (al  (raatrlct  a  domaln-1) ) 

(a2  (apply-to-aubat  (nullify- aubat  ag) 

(co-raatrict  a  domain-1)))) 

(iaq^llaa  (and  (ganaraliza-o)cp  ag  atata) 

(valid-atata  (ganaraliza  ag  atata))) 

(thaoram-liat  (aubat  f  (appand  al  a2)  p) ) ) ) ) ) ) 

( (diaabla-thaory  t) 

(anabla-tbaozy  ground-zaro) 

(anabla  ; ;  ao  that  wo  can  gat  at  p  from  (car  atata) : 
thaorom-llat  aubat  car-ganarallzo 

;;  ralloving  hypa  of  main-hypa-raliavod-e-raat-gonoralization: 
uln-hypa-rallavad-6-raat-lamma-l  main-hypa-rallavad-6-Eaat-laiinia-2 
;  to  rollova  tha  (tanig>  f  p)  hypothaaia  in 
;  uln-hypa-roliovad-6-raat-ganarallzatlon: 
atatap  tarz^-llat-cona 
ganorallzo-okp  valld-atata-opanar 
a>ain-hypa-rallovod-6-raat-ganarallzatlon) ) ) 


At  thla  point  I  did  a  aanlty  chock  and  aura  onough,  tha  puahod 
lammaa  all  go  through  at  thla  point:  MAIN-HYPS-RELIEVED-6, 
MAIM-HYPS-RELIEVED,  MAIN-THEOREM-l-CASE-4,  MAIM  -  THEOREM- 1,  and 
GEMERALIZE-IS-CORRECT . 


;;  It  ramalna  to  prova  MAIN-HYPS-RELIEVED-6-FESr-LEMMA-l, 

;;  MAIM-HYP5-REI.IEVED-6-REST-LEMMA-2,  and 
;;  MAIN-HYPS-RELIEVED-6-REST-GENERALIZATI0N. 

;;  For  tha  flrat  of  thaaa  wa  naad  tha  following  trivial  obaarvatlon. 

;  «  48  » 

(prova-lamma  goala-dia jolnt-from-vara-aubsatp  (rawrita) 

(subaatp  (goala-dia joint-from-vara  goala  fraa  vara) 
goal a) ) 

; ;  Unfortunataly  tha  obaarvatlon  abova  doaan't  q[ulta  auffica,  bacausa 
;;  of  a  tacbnlcal  problam  with  fraa  varlablaa  In  hypothaaaa.  Tha 
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;;  folloMlng  aonsaguanc*  doaa,  though. 

;;  «  49  » 

(prov«-l«au  dlajolat-all-vara-goala-diajoiat-froa-vara  (rawrita) 

(l^pliaa  (dla joint  x  (all -vara  £  goala) ) 

(dlajolnt  X  (all-vara  £  (goala-dlajoint-£roa-vara  goala  £roa  vara) ) ) ) 
( (uaa  (all-vara-£-aonotona  (x  (goala-4iajolnt-£roa-vara  goala  fraa  vara) ) 

(y  goala))) 

(dlaabla  all-vara-£-aonotona) ) ) 

;;  «  50  » 

(prova-laana  aain-hypa-rallavad-C-raat-laana-l  (rawrita) 

(lat  ( (g  (caar  atata) ) 

(p  (cdar  atata) ) 

(£raa  (odr  atata) ) 

(a  (witnaaaing-inatantiation  (ganaraliza  ag  atata) ) ) ) 

(lat  ( (naw-g  (aubat  t  (invart  ag)  g))) 

(lat  ( (doaiain-l 

(gan-cloaura  (cona  naw-g  p)  £raa  (all-vara  t  naw-g) ) ) t 
(lat  ( (al  (raatrict  a  domain-1) ) 

(a2  (apply-to-a\ibat  (nulli£y-aubat  ag) 

(eo-raatriot  a  domain-1) ) ) ) 

(i^liaa  (and  (ganaraliza-okp  ag  atata) 

(valid-atata  (ganaraliza  ag  atata) ) ) 

(diajoint  (doawin  ag) 

(all-vara  £  (goala-dia jolnt-£rom-vara 

p  (cdr  (ganaraliza  ag  atata) ) 
domain-1))))))))) 

; ;  Tha  naxt  goal,  M]lZN-HyPS-RSZ<ZSVBD-fi-itEST-LEMMh-2,  naada  tha  lamma 
;;  ALL-VARS-DISJOIMT-OR-SUBSETF-GEM-CLOSORZ  balow.  That  lamma' a 
; ;  maohaniral  proo£  dapanda  on  tha  trivial  obaarvation 
;;  0ISJ0ZHT-IMTBRSRCIZQM3-MIDDLB  in  £ila  aata.avanta. 

;;  «  51  » 

(prova-lamma  all-vara-dia joint -or-aubaatp-gan-cloaura 
(rawrita) 

(i^pliaa  (aubaatp  naw-£raa  £raa) 

(all-vara-dia joint-or-aubaatp 

goala  naw-£raa  (gan-cloaura  (cona  g  goala)  £raa  vara) ) ) ) 

;;  «  52  » 

(provo-lamaa  maln-hypa-rollavad-4-raat-lomma-2  (rawrita) 

(lat  ( (g  (caar  atata) ) 

(p  (cdar  atata) ) 

(£raa  (cdr  atata)) 

(a  (witnaaaing-inatantiation  (ganaraliza  ag  atata)))) 

(lat  ((naw-g  (aubat  t  (Invart  ag)  g))) 

(lat  ( (domain-1 

(gan-cloaura  (cona  naw-g  p)  £raa  (all-vara  t  naw-g) ) ) ) 

(lat  ( (al  (raatrict  a  domaln-1) ) 

(a2  (apply-to-aubat  (nulll£y-aubat  ag) 

(co-raatrict  a  domaln-1) ) ) ) 

(Impliaa  (and  (ganaralizo-o)cp  ag  atata) 

(valid-atata  (ganaraliza  ag  atata) ) ) 

(all-vara-dia jolnt-or-Bubaatp 
p  (cdr  (ganaraliza  ag  atata))  domaln-1))))))) 

;;  Finally,  all  that' a  la£t  la 

; ;  HAZN-BYFS-RELZEVED-6-REST-GENERALZZATZON.  An  attamptad  proo£  by 
;;  Induction  o£  that  thaoram  raaulta  In  11  goala,  all  but  ona  of  which 
; ;  goaa  through  automatically.  Tha  tacb.  raport  ahowa  how  Z  uaad 
; ;  PC-NQTHM  to  flgura  thlnga  out.  Tn  particular,  our  problama 
; ;  ara  now  raducad  to  tha  following  goal. 

;;;  (SUBST  t  ( NULLIFY -SOBST  SG) 

(SOBST  T  (CO-RESTRZCT  S  DOMAIN-1) 

X)  ) 
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;;  W*  nMd  tba  laaaa  SOBST-APPLY-TO-SOBST-SLZMZHATOR  b«lo«  (which  la 
;;  uaad  undar  th«  aubatitutlon  whara  8  gata  (CO-RSSTRZCI  8  DOtAIN-l) 
and  8G  gaha  (MUhLX7Y'-8nB8T  86) )  .  Bowavar,  wa'  11  Isaaadlataly  darlva 
;  tha  daairad  oonaaquanoa  and  than  diaahla  thla  laama,  alnca  It 
;;  appaara  that  it  would  loop  with  C0MP08Z-PR0PB11TY. 

;;  «  53  » 

(prova-laaaaa  aubat-apply-to-aubat-allad.nator  (rawrita) 

(iapllaa  (and  (varlabla-liatp  (domain  ag) ) 

(varlabla-llatp  (domain  a) ) 

(tarmp  t  x) 

(dla joint  (domain  ag)  (all-vara  t  x) ) ) 

(aqual  (aubat  t  (apply-to-aubat  ag  a)  x) 

(aubat  t  ag 

(aubat  t  a  x))))) 

;;  «  54  » 

(prova-lamaia  thaoram-aubat-apply-to-aubat-wlth-dla joint-domain  (rawrita) 
(lapllaa  (and  (var-aubatp  ag) 

(var-aubatp  a) 

(tamgi  t  x) 

(dla  joint  (doBialn  ag)  (all-vara  t  x) ) 

(tbaoram  (aubat  t  ax))) 

(tbaoram  (aubat  t  (apply-to-aubat  ag  a)  x) ) ) 

( (dlaabla  coa^aa-proparty) ) ) 

;;  «  55  » 

(dlaabla  subat-apply-to-aubat-allodnator) 

; ;  Tha  proof  of  tha  raaialnlng  goal  ahould  go  through  now,  ona  might 
;;  think.  Bowavar,  wa  naad  ona  mora  obaarvation  flrat,  baeauaa  wa 
; ;  naad  to  apply  tha  following  laama. 


(PROVB-LEMKR  SOBST-CO-RBSTRZCT 
(RENRITB) 

(IMPLIES  (ADD  (DISJOINT  X 

(INTERSECTION  (DOMAIN  S) 

(ALL-VARS  FLC  TERM) )  ) 
(VARIABLB-LISTP  (DOMAIN  S)  ) 

(TERM?  FLC  TERM)) 

(EQUAL  (SUBST  FLO  (CO-RESTRICT  S  X)  TERM) 

(SOBST  FL6  S  TERM)  ) )  ) 


;;  But,  tha  flrat  hypothaaia  of  thia  lamma  naada  apacial  handling 
;  baeauaa  of  fraa  varlablaa  in  tha  ralavant  rawrita  rulaa .  Tha  lanma 
; ;  DISJOINT-SUBSETP-BACX  waa  provad  at  thia  point,  and  appaara  now  in 
;  aata . avanta . 

; ;  And  finally,  wa  finlah.  During  poliahing  I  auddanly  naadad  tha 
; ;  lamma  SUBSETP-IMTERSECTION-MONOTOMB-2,  which  la  now  includad  in 
"aata. avanta",  and  which  in  turn  auggaatad 
;;  SUBSETP-INTERSECTION-COMMUTER  thara. 

; ;  «  56  » 

(prova-lamma  maln-hypa-rallavad-6-caat-ganarallzatlon  (rewrite) 

(let  ( (al  (raatrlct  a  domaln-1)) 

(a2  (apply-to-aubat  (nulllfy-aubat  ag) 

(co-raatrict  a  domaln-l) ) ) ) 

(Inqpllaa  (and  (var-atibatp  ag) 

(var-aubatp  a) 

(aubaetp  (domain  a)  naw-fraa) 

(tarmp  f  p) 

(thaoram-llat  (aubat  f  a  p) ) 

(dia joint  (domain  ag) 

(all-vara  f  (goala-dia joint-from-vara 
p  naw-fraa  domain-1))) 

(all-vara-dia joint-or-autaatp  p  naw-fraa  domain-1) ) 
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(tbaoram-llat  (aubat  £  <appand  al  m2)  p) ) ) ) ) 

Mow  to  alaan  up  tba  goala  tbat  bava  baan  puabad  abova: 

;;  «  57  » 

(pxova-laaau  malo-b^a-rallava<l-6-raat  (rawrita) 

<lat  ( (g  (oaax  atata) ) 

(p  (odar  atata) ) 

(fraa  (odr  atata) ) 

(a  (wltnaaalng-inatantlation  (ganarallza  ag  atata) ) ) ) 

(lat  ( (naw-g  (aubat  t  (invart  ag)  g) ) ) 

(lat  ( (doBMin-1 

(gan-eloauza  (oona  naw-g  p)  fraa  (all-vara  t  naw-g) ) ) ) 

(lat  ((al  (raatrlct  a  doaialn-l)) 

(m2  (apply-to-aubat  (nullify- aubat  ag) 

(co-raatzlet  a  domain-1) ) ) ) 

(ia^liaa  (and  (ganaraliza-okp  ag  atata) 

(valid-atata  (ganaraliza  ag  atata) ) ) 

(tbaoram-liat  (aubat  f  (appand  al  a2)  p) ) ) ) ) ) ) 

( (diaabla-tbaozy  t) 

(anabla-tbaozy  ground-zaro) 

(anabla  tbaozam-liat  aubat 

oar-ganacaliza  ; ;  ao  tbat  wa  oan  gat  at  p  from  (oaz  atata) 

;;  xaliaving  bypa  of  aiain-bypa-raliavad-6-raat-ganaralizatlon: 
auUn-bypa-raliavad-C-roat-lamau-l  auln-hypa-rallavad-6-raat-laama-2 
;  to  raliava  tba  (tazaqp  f  p)  bypotbaaia 
;;  in  aiain-bypa-raliavad-6-raat-ganaralizatlon: 
atatap  tazng>-liat-cona 
ganaraliza-okp  valid-atata-opanar 
main-hypa-raliavad-6-caat-ganaralization) > ) 


;;  «  58  » 

(prova-laana  main-bypa-roliavad-6 
(rawrita) 

(lat  ( (g  (oaar  atata) ) 

(p  (odar  atata) ) 

(fraa  (edr  atata) ) 

(a  (witnaaaing-inatantiation  (ganaraliza  ag  atata) ) ) ) 

(lat  ( (naw-g  (aubat  t  (Invart  ag)  g) ) ) 

(lat  ( (domain-1 

(gan-cloaura  (cona  naw-g  p)  fraa  (all-vara  t  naw-g) ) ) ) 
(lat  ( (al  (raatrlct  a  domaln-1) ) 

(a2  (apply-to-aubat  (nulllfy-aubat  ag) 

(co-raatrlct  a  domain-1)))) 

(lag>liaa  (and  (ganaraliza-oJcp  ag  atata) 

(valid-atata  (ganaraliza  ag  atata) ) ) 
(tbaoram-liat  (aubat  f  (appand  al  a2) 

(cona  naw-g  p) )))))) ) 

( (diaabla-tbaory  t) 

(anabla-tbaozy  ground-zaro) 

(anabla  aialn-bypa-rallavad-e-flrat  maln-bypB-rallavad-6-raat  aubat 
tbaoram-liat) ) ) 

;;  «  59  » 

(prova-lamma  main-hypa-raliavad 
(rawrita) 

(lat  ( (g  (caar  atata) ) 

(p  (cdar  atata) ) 

(fraa  (cdr  atata) ) 

(a  (wltnaaalng-inatantlation  (ganaraliza  ag  atata) ) ) ) 

(lat  ((naw-g  (aubat  t  (Invart  ag)  g) ) ) 

(lat  ( (domaln-1 

(gan-cloaura  (cona  naw-g  p)  fraa  (all-vara  t  naw-g)))) 
(lat  ( (al  (raatrlct  a  domaln-1)) 

(a2  (apply-to-aubat  (nulllfy-aubat  ag) 

(co-raatrlct  a  domaln-1)))) 

(Impllaa  (and  (ganarallza-o)ip  ag  atata) 

(valid-atata  (ganaraliza  ag  atata) ) ) 
(maln-hypa  al  m2  ag  g  p) ) } ) ) ) 


generalize.eveiits 


91 


( (dlaabla-thaoxy  t) 

(•nabla-tbaory  ground- zero) 

(•nablo  main-hyp*  maln-hyps-r*il*v*d-l  aialn-hypB-r*li*v*d-2 

aud.n-hyps-raliavad-3  main-hyps-rall*v*d-4  maln-hyps-r*li*v*d-S 
main-bypa-rallavad-C) ) ) 

;;  «  60  » 

(prova-lanna  maln-thaocam-l-aasa-4 
(zawrlta) 

(impllaa  (and  (ganaralixa-okp  ag  atata) 

(valld-atata  (ganaraliza  ag  atata) ) ) 

(tbaozam-llat  (aubat  f 

(gan-lnat  ag  atata) 

(ear  atata)))) 

( (dlaabla-thaory  t) 

(anabla-thaory  ground-zaro) 

(anabla  gan-lnat  maln-hypa-auffloa  ganaraliza-okp 
zmln-hypa-rallavad) ) ) 

;;  «  61  » 

(prova-lazzoa  maln-tbaoraa-1  (raarlta) 

(lat  ( (wit  (gan-lnat  ag  atata) ) ) 

(la^llaa  (and  (ganarallza-okp  ag  atata) 

(valld-atata  (ganaraliza  ag  atata) ) ) 

(and  (atatap  atata) 

(var-aubatp  wit) 

(aubaatp  (doamln  wit)  (edr  atata) ) 

(thaoram-llat  (aubat  t  wit  (car  atata)))))) 

( (dlaabla-tbaory  t) 

(anabla-thaory  ground-zaro) 

(anabla  aaln-thaoram-l-caaa-1  Biain-thaoraffl-l-caaa-2 

maln-tbaoram-l-caaa-3  malo-thaoram-l-eaaa-4) ) ) 

;;  «  62  » 

(prova-lamna  ganarallza-la-oorraet 
(rawrlta) 

(ia^llaa  (and  (ganaraliza-okp  ag  atata) 

(valld-atata  (ganaraliza  ag  atata) ) ) 

(valld-atata  atata)) 

((dlaabla-thaory  t) 

(anabla-thaory  ground-zaro) 

(anabla  main-thaoram-1) 

(uaa  (valld-atata  (wltnaaaing-inatantlatlon  (gan-lnat  ag  atata))))}) 


)) 
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